View Full Version : Nasty infestation. No Anti Virus will run. (Inactive)
_nicademas
2009-08-07, 05:37
Hello!
I usually can take care of these myself, but this one is wicked. It lets me run any anti-virus software for a few moments then shuts them down and changes the permissions, whereby I cannot access them thereafter. I can't run HiJackThis, or anything else. Same scenario in Safe Mode. Running Win XP.
I was able to run GMER for awhile, and it detected something, but ultimately failed when checking the Windows directory. Attached is what it was able to gather before it failed. Please help..desperate here.
Thanks!
GMER 1.0.15.15011 [9gnv3ms9.exe] - http://www.gmer.net
Rootkit scan 2009-08-06 21:52:49
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwCreateEvent [0xF76517AD]
SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwCreateKey [0xF764F885]
SSDT spoz.sys ZwEnumerateKey [0xF72A5CA2]
SSDT spoz.sys ZwEnumerateValueKey [0xF72A6030]
SSDT \SystemRoot\System32\drivers\aba3d60a.sys ZwOpenKey [0xF764F945]
SSDT spoz.sys ZwQueryKey [0xF72A6108]
SSDT spoz.sys ZwQueryValueKey [0xF72A5F88]
SSDT spoz.sys ZwSetValueKey [0xF72A619A]
INT 0x62 ? 89D97BF8
INT 0x63 ? 89B04BF8
INT 0x63 ? 89B04BF8
INT 0x63 ? 89B04BF8
INT 0x63 ? 89B04BF8
INT 0x82 ? 89D97BF8
---- Kernel code sections - GMER 1.0.15 ----
? spoz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F69758AC 5 Bytes JMP 89B041D8
? C:\WINDOWS\System32\drivers\aba3d60a.sys The system cannot find the file specified.
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.exe[180] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\Explorer.exe[180] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\Explorer.exe[180] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1148] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\WINDOWS\system32\svchost.exe[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1944] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1944] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[1944] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7288040] spoz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728813C] spoz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72880BE] spoz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72887FC] spoz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72886D2] spoz.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7298048] spoz.sys
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINDOWS\Explorer.exe[180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\Explorer.exe[180] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1148] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[1944] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\C740D2E4.x86.dll
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aba3d60a.sys
Device \FileSystem\Ntfs \Ntfs 89D961F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CE2F6F90-17FF-4283-ACEC-64F3D76821CF} 898FA500
Device \Driver\Tcpip \Device\Ip aba3d60a.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
Device \Driver\usbohci \Device\USBPDO-0 89B9B1F8
Device \Driver\usbohci \Device\USBPDO-1 89B9B1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89D2B1F8
Device \Driver\dmio \Device\DmControl\DmConfig 89D2B1F8
Device \Driver\dmio \Device\DmControl\DmPnP 89D2B1F8
Device \Driver\dmio \Device\DmControl\DmInfo 89D2B1F8
Device \Driver\usbehci \Device\USBPDO-2 89AF81F8
Device \Driver\Tcpip \Device\Tcp aba3d60a.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 89D981F8
Device \Driver\Cdrom \Device\CdRom0 89AF41F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 898FA500
Device \Driver\NetBT \Device\NetbiosSmb 898FA500
Device \Driver\Tcpip \Device\Udp aba3d60a.sys
Device \Driver\Tcpip \Device\RawIp aba3d60a.sys
Device \Driver\usbohci \Device\USBFDO-0 89B9B1F8
Device \Driver\usbohci \Device\USBFDO-1 89B9B1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898F3500
Device \Driver\usbehci \Device\USBFDO-2 89AF81F8
Device \Driver\Tcpip \Device\IPMULTICAST aba3d60a.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 898F3500
Device \Driver\Ftdisk \Device\FtControl 89D981F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{287FE9F3-6724-4EFB-9965-F900D8BC2F37} 898FA500
Device \FileSystem\Cdfs \Cdfs 899A5500
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [180] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [812] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [944] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1088] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1148] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1252] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1332] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1608] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1652] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1680] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\gmsmux\wrapper.exe [1868] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1916] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [1944] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1960] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\jre\bin\java.exe [1976] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\pmta\bin\pmtad.exe [2068] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2096] 0x35670000
Library \\?\globalroot\Device\__max++>\C740D2E4.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [4056] 0x35670000
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\System32\drivers\aba3d60a.sys (*** hidden *** ) [SYSTEM] aba3d60a <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@ImagePath \SystemRoot\System32\drivers\aba3d60a.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\aba3d60a@F96ZK6nPB MmF1Y3Rpb25ydS51cw==
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x70 0xCD 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xAD 0xF3 0xB1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFF 0xF7 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@ImagePath \SystemRoot\System32\drivers\aba3d60a.sys
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@Start 1
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet003\Services\aba3d60a@F96ZK6nPB MmF1Y3Rpb25ydS51cw==
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF9 0x70 0xCD 0xED ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xAD 0xF3 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFF 0xF7 0x0B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@Model 121
Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@Therad 26
Reg HKLM\SOFTWARE\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}@MData 0x30 0x61 0x3C 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x3F 0x3E 0xD0 0x15 ...
---- Files - GMER 1.0.15 ----
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027083.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027088.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027187.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP195\A0027301.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP196\A0027372.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027381.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027388.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027401.sys:1 8192 bytes executable
ADS C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027412.sys:1 8192 bytes executable
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Download and Run ComboFix
Download Combofix from the link below. Save it to your desktop.
> Link Removed <
(I have renamed the file)
STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.
"%userprofile%\desktop\CleanMe.exe" /killall
When finished, it shall produce a log for you. Post that log in your next reply.
_nicademas
2009-08-07, 15:52
Thank you very much for the assistance.
I did as you asked. ComboFix runs, I can see the status bar for it, and it appears to complete, but then everything just stops. No log is produced. It really seems just the other programs I have tried to run, where this infestation just shuts them down.
No other viral software was running.
I do see an mdm.exe running that looks suspicious. I stop it in task mgr though then run this program and it still is killed. Just to let you know, these programs are being stopped by this infection while in Safe Mode as well. It appears to be well attached to the system. Last night while observing this, I noticed the explorer.exe grab some cpu usage every time an anti-virus program was shut down.
I tried renaming HiJackThis too, and no help.
Don't know if this helps, but thought I'd send it out there.
Ok, we need some info before we can kill this nasty.
SysProt Antirootkit
Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
http://sites.google.com/site/sysprotantirootkit/
Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab. In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
_nicademas
2009-08-07, 16:32
Thanks for the quick response. I am stoked that something actually ran. Here are the results:
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No
Name: System
PID: 4
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\smss.exe
PID: 676
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\csrss.exe
PID: 736
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\winlogon.exe
PID: 936
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\services.exe
PID: 980
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\lsass.exe
PID: 992
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1148
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1160
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1256
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1304
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1468
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1520
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1780
Hidden: No
Window Visible: No
Name: C:\WINDOWS\system32\svchost.exe
PID: 1880
Hidden: No
Window Visible: No
Name: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1964
Hidden: No
Window Visible: No
Name: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1976
Hidden: No
Window Visible: No
Name: C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PID: 2012
Hidden: No
Window Visible: No
Use Windows explorer to open this folder
C:\Documents and Settings\All Users\Application Data
You may need to unhide files and folders ( see below )
Look for a folder that has all numbers in its name eg 12365489
If you find one, DRAG the entire folder to your desktop
Reboot the machine and then try Combofix again
Show All Files And Folders
Now you need to show all files and folders
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
_nicademas
2009-08-07, 21:29
Thank you for the follow-up.
I found two folders with all numbers in that diretory and did as you said, moving both to desktop, restarted, and then ran the CleanMe.exe again. Like before, it ran, appeared to complete, hour glasses and the whole nine, and then it just stopped - producing no log.
_nicademas
2009-08-07, 21:42
Katana...
Just an added notice, I looked at the properties of the folders that you mentioned herein and they were added on the same date that I had and attempted to remove some a.exe, b.exe, and msa.exe issues. I removed those apps and associated registry keys, as I could find them.
I'm starting to believe they are somehow associated now. I also recently had a bout with Windows Antivirus Pro that I believed Windows Defender had resolved.
Thanks again!
Yes, they are probably all related.
Please try the following
Click start > run then copy/paste the following into the run window
cacls C:\windows\system32\cmd.exe /G emh:F
Press enter.
A cmd window should come up asking you if you are sure, type 'y' then hit enter.
After that, delete your copy of combofix, re-download a new one and try to run it again.
_nicademas
2009-08-07, 22:10
Hello again.
When I enter
cacls C:\windows\system32\cmd.exe /G emh:F
into the Run box and hit Enter, the Command prompt comes up but is closed almost immediately to where I only see it briefly and can't even see what it says on the prompt.
That's fine, it should only takes a second.
If we are lucky, that should allow Combofix to run now.
_nicademas
2009-08-08, 01:25
Hi.
I'm telling you that it shut it down the command box before I could verify to commit the command. It didn't run, it didn't generate any log, it is still doing the same thing.
_nicademas
2009-08-08, 01:32
I'm sorry if I am not being clear.
I did as you said, and it didn't allow me to verify the command. When the command prompt opened, it then shut quickly without me being able to type 'y' or even see anything.
Now, I re-ran the combofix, which you renamed cleanme.exe, and it did the same thing as it has been doing.
Let me know if you need more info.
Thanks!!
Your logs show that you have at least two rootkits and at least one other infection ...they all prevent removal tools from running :sad:
This may take several tries, so please be patient.
Please try the following.
Click start > run then copy/paste the following into the run window
cacls C:\windows\system32\cmd.exe /G Owner:F
Press enter.
A cmd window should come up asking you if you are sure, type 'y' then hit enter.
try to run Combofix again.
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
_nicademas
2009-08-08, 16:08
Thanks for the follow-up!!
I tried what you said many, many times and neither comboFix nor MalwareBytes will run. The cacls command didn't seem to make any difference whatsoever. ComboFix has the task bar look like it completes...then there are some hourglasses, then it dies.
MalwareBytes will install and update, but very shortly after starting to run, it dies as well with the permissions changing to say "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." When I attempt to change the permissions, there is no security/permissions tab.
_nicademas
2009-08-08, 16:24
Katana...
Here is some more info that may be of use.
When comboFix attempts to run..watching task manager it appears to die while n.pif is running or immediately after it runs.
While I am in safe mode, this issue persists. I have seen it kill programs while I am in safe and trying to scan (previously did this). When windows launches, a winword.exe process runs - I'm almost sure that shouldn't be happening.
Here are the only processes running in safe when this still happens:
taskmgr.exe
svchost.exe
explorer.exe
svchost.exe
svchost.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system idle process
It appears to be attached to these processes.
What other info can I provide to assist you with the next steps?
Thanks again!!!!
I've not abandoned you, I'm doing some research :D:
Did you try the second Cacls instruction I posted, it was different from the first.
You don't happen to know where you got this infection do you ?
Please try the following
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
_nicademas
2009-08-08, 18:37
Hi Katana. Thanks for being persistent.
No, I don't know from where it reared. I got some stuff off Ares a little while back for my cousin's wedding and it very well may have showed from there. I don't keep it open and use it rarely.
I did run the other calcs command, many times before trying ComboFix & mbam, and had the same symptoms. At least when I ran the last command, the cmd prompt did open and ask me y/n.
Ok, I ran the RSIT and it got a little ways then was killed. Same scenario...permission denied now. It did save a little bit in the log file, which I am attaching below. As a sidenote, the two .jobs under windows/tasks are associated with a.exe and b.exe, I know that for sure. I found it in the event log associating those keys with those programs.
Just an opinion here, this infection is very efficient. My system is showing no signs of an issue. Running very fast. But when anything runs that appears to search certain areas or look like a Malware scanning program, it is nailed to the wall. Never seen anything work this well and not show any adverse symptoms at the system level.
Here is the log that was captured:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-08 11:18:53
Microsoft Windows XP Professional Service Pack 3
System drive C: has 8 GB (8%) free of 95 GB
Total RAM: 1918 MB (77% free)
======Scheduled tasks folder======
C:\WINDOWS\tasks\WGASetup.job
C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2008-12-23 161200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-22 320920]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-22 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-22 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212}]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ares"=C:\Program Files\Ares\Ares.exe [2008-12-16 887808]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"= []
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pevsystemstart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\pevsystemstart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\windefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Ares\Ares.exe"="C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows"
"C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE"="C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE:*:Enabled:Microsoft (R) Visual Studio VSA RPC Event Creator"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe"="C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"D:\setup\HPZNUI01.EXE"="D:\setup\HPZNUI01.EXE:*:Enabled:hpznui01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe"="C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe:*:Enabled:SQL Server Surface Area Configuration"
"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe"="C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe:*:Enabled:Microsoft Visual Studio 2005"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65a12071-04f5-11de-9d93-0014a51fe469}]
shell\AutoRun\command - F:\wd_windows_tools\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7430667-d3ac-11dd-9d87-0014a51fe469}]
shell\AutoRun\command - E:\wd_windows_tools\WDSetup.exe
======List of files/folders created in the last 1 months======
2009-08-08 11:18:54 ----D---- C:\Program Files\trend micro
2009-08-08 11:18:53 ----D---- C:\rsit
2009-08-08 09:14:36 ----D---- C:\32788R22FWJFW
2009-08-08 08:52:05 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-08-08 08:51:59 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-07 20:00:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 18:41:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-08-07 18:18:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-07 17:49:36 ----D---- C:\WINDOWS\CSC
2009-08-07 17:31:42 ----D---- C:\Program Files\Windows Defender
2009-08-07 15:33:22 ----D---- C:\32788R22FWJFW(2)
2009-08-07 11:32
_nicademas
2009-08-08, 18:40
One more thing I should note for your info moving forward.
When this started happening, I recall Acrobat trying to open something and getting some notices - when I had not opened any pdf or Acrobat files. Also saw something in Re to Flash. Not sure what it was, but I was not using anything at the time that required the Flash Player.
It certainly is efficient, annoyingly so !!
You don't have an install disc do you ?
It may be easier if we can install the recovery console
You posted a list of files that were running, let's see if we can get Combofix to run by renaming it as one of those
Click start > run then copy/paste the following into the run window
cacls C:\windows\system32\cmd.exe /G Owner:F
Press enter.
A cmd window should come up asking you if you are sure, type 'y' then hit enter.
Download Combofix from the link below. Save it to your desktop.
Link 1 (http://neoshine.co.uk/mina/Downloads/Winlogon.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click the file & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
_nicademas
2009-08-09, 01:16
Hi Katana.
No dice on the rename. I ran the command then tried to run ComboFix as Winlogon.exe and it launched, the status bars completed and then it died, like before.
I do have an operating system (already installed on your computer)/reinstallation cd for windows xp prof sp 2. It says it is for a Dell, my laptop is an hp. It says only reinstall on a Dell. I don't know where this operating system cd is, I moved and apparently lost it. Can I use the Dell OS cd to install the Recovery Console? BTW, I am using XP Prof, sp3 at present on this Laptop.
Any other way to get the Recovery Console?
Thanks for the continued support!
We need to look for a file called scecli.dll
I'll give instructions for using a tool, but if that doesn't run you will have to try Windows Search.
(don't delete it, just find all the copies of it)
Edit --- SystemLook should work
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
scecli.dll
winnt32.exe
:comment
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
_nicademas
2009-08-09, 18:35
Hello.
Here is the search log:
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 11:30 on 09/08/2009 by Owner (Administrator - Elevation successful)
========== filefind ==========
Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [19:31 22/12/2008] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [00:12 14/04/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 60928 bytes [12:00 04/08/2004] [00:12 14/04/2008] (Unable to calculate MD5)
Searching for "winnt32.exe"
No files found.
-=End Of File=-
Thanks again!!
----------------------------------------------------------------------------------------
Step 1
Delete any copy of Combofix that you have.
Download a fresh copy .... > ComboFix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Download a fresh copy of MalwareBytes setup .... > Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php)
Don't run them yet, they are for later.
----------------------------------------------------------------------------------------
Step 2
Avenger
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Please download The Avenger2 by SwanDog46 (http://swandog46.geekstogo.com/avenger.zip).
Unzip avenger.exe to your desktop.
Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
Files to move:
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll|C:\Windows\System32\Scecli.dll
Now start The Avenger2 by double clicking avenger.exe on your desktop.
Read the prompt that appears, and press OK.
Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
Press the "Execute" button.
You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
Note: It is possible that Avenger will reboot your system TWICE.
Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
----------------------------------------------------------------------------------------
Step 4
Now run Combofix follwed by installing/running the new MalwareBytes.
_nicademas
2009-08-10, 05:00
Hey Katana.
Now we're cooking with gas. Thanks so much for that !!!! Please let me know where to go from here.
I was able to run Avenger, ComboFix, and then MalwareBytes. Here are the logs in that order:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File move operation "C:\WINDOWS\$NtServicePackUninstall$\scecli.dll|C:\Windows\System32\Scecli.dll" completed successfully.
Completed script processing.
*******************
Finished! Terminate.
================================================
ComboFix Log:
ComboFix 09-08-09.03 - Owner 08/09/2009 21:27.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1466 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\98801556.ini
c:\documents and settings\Owner\Application Data\wiaserva.log
c:\windows\Installer\189f1.msi
c:\windows\system32\mdm.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- c:\program files\trend micro
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- C:\rsit
2009-08-08 13:52 . 2009-08-08 13:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 23:08 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender(2)
2009-08-04 20:47 . 2009-08-04 20:48 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-03 23:27 . 2008-11-27 23:47 -------- d---a-w- c:\windows\system32\images
2009-08-03 22:51 . 2009-08-03 23:45 4 ----a-w- c:\windows\system32\bincd32.dat
2009-08-03 22:37 . 2009-08-04 00:37 -------- d-----w- c:\program files\creytd
2009-07-30 17:35 . 2009-07-31 05:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-07-30 17:34 . 2009-07-30 17:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-30 17:34 . 2009-07-30 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 02:40 . 2009-08-07 23:41 5310 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-08-09 04:11 . 2008-12-23 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2009-08-08 00:31 . 2009-04-01 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 22:32 . 2009-04-01 04:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 22:31 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender
2009-08-07 22:31 . 2009-08-07 01:14 -------- d-----w- c:\program files\Registrar Lite
2009-08-07 22:31 . 2008-12-22 20:45 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-07 22:31 . 2009-08-07 16:30 -------- d-----w- c:\program files\ERUNT
2009-08-07 04:03 . 2009-02-03 05:20 -------- d-----w- c:\program files\Bonjour
2009-06-18 12:56 . 2009-06-18 12:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-14 13:23 . 2009-05-14 13:23 111160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2008-12-17 887808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-12-23 569405]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SqlSAC.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
R2 gms-mux;Goodmail Multiplexer;c:\pmta\gmsmux\wrapper.exe -s "c:\pmta\gmsmux\config\wrapper.conf" --> c:\pmta\gmsmux\wrapper.exe -s c:\pmta\gmsmux\config\wrapper.conf [?]
R2 PMTA;PowerMTA;c:\pmta\bin\pmtawatch.exe [11/18/2008 11:29 PM 761856]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/22/2008 1:20 PM 200192]
S1 aba3d60a;aba3d60a;c:\windows\system32\drivers\aba3d60a.sys --> c:\windows\system32\drivers\aba3d60a.sys [?]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 PortalEmailer;PortalEmailer;c:\documents and settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe [4/13/2009 9:04 PM 32768]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/29/2009 12:12 PM 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/29/2009 12:12 PM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/29/2009 12:12 PM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/29/2009 12:12 PM 59776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2009-08-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfz6iz3.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 21:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?4?0?5??????? ???B?????????????hLC? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}]
@Denied: (Full) (Everyone)
"Model"=dword:00000079
"Therad"=dword:0000001a
"MData"=hex(0):30,61,3c,66,a3,eb,ea,4b,5e,e9,80,4a,38,68,68,50,7b,7d,ce,43,86,
ef,e0,3d,3b,8a,0a,32,11,89,01,b5,8b,50,c3,71,c8,b6,78,97,c1,28,e6,e3,95,8e,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):3f,3e,d0,15,73,f2,c2,65,b9,bc,55,6c,d5,de,f4,5a,5e,1c,48,cf,a7,
b0,6b,38,27,3b,f3,4d,a6,38,a5,51,8f,1e,35,42,4d,3f,aa,0e,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\pmta\gmsmux\wrapper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\pmta\jre\bin\java.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\pmta\bin\pmtad.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-08-10 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 02:45
Pre-Run: 7,437,271,040 bytes free
Post-Run: 7,284,998,144 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
188 --- E O F --- 2009-06-10 13:56
================================================
MalwareBytes Log:
Malwarebytes' Anti-Malware 1.40
Database version: 2589
Windows 5.1.2600 Service Pack 3
8/9/2009 9:53:00 PM
mbam-log-2009-08-09 (21-53-00).txt
Scan type: Full Scan (C:\|)
Objects scanned: 23807
Time elapsed: 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Looking good :)
A big thanks to all the Guys and Gals that are working in the background to analyse this dross.
Without them we would still be struggling
Information
ares
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
List programs here
Please read the Guidelines for P2P Programs (http://forums.spybot.info/showpost.php?p=218503&postcount=4) where we explain why it's not a good idea to have them.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.
Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.
----------------------------------------------------------------------------------------
Step 1
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\windows\system32\bincd32.dat
Dir::
c:\Program Files\Windows Antivirus Pro
c:\windows\system32\images
c:\Program Files\creytd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ares\\Ares.exe"=-
Driver::
aba3d60a
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
----------------------------------------------------------------------------------------
Step 2
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Step 3
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Combofix Log
Kaspersky Log
RSIT Logs
How are things running now ?
_nicademas
2009-08-10, 18:15
Hi Katana. Thanks again for all your help, and to whomever else is assisting, many thanks.
The system is running well. As I mentioned previously though, there were no outward indications of this infection unless you began trying to run any variation of a security mechanism. As such, the only difference I am seeing is that I can actually run these programs now, where I couldn't previously.
I ran the script with ComboFix and RSIT, but I could not get Kaspersky online scan to run. I don't think it was because of this infection, however. I kept getting a key expired error. In IE it wouldn't launch the applet at all, so I downloaded the latest version of Java (6.15) and was able to launch, but got the same key error. I cleared cookies/history & restarted, but to no avail.
Here are the logs from ComboFix and RSIT. I removed an application error in the event log section of RSIT log that happened many months back and that I know for sure was not related to this or any infection. Had some specifics I didn't want out in the open if you know what I mean.
ComboFix 09-08-09.04 - Owner 08/10/2009 9:06.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1364 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\bincd32.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\bincd32.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_aba3d60a
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.
2009-08-10 02:50 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 02:50 . 2009-08-10 02:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 02:50 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- c:\program files\trend micro
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- C:\rsit
2009-08-08 13:52 . 2009-08-08 13:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 23:08 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender(2)
2009-08-04 20:47 . 2009-08-04 20:48 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-03 23:27 . 2008-11-27 23:47 -------- d---a-w- c:\windows\system32\images
2009-08-03 22:37 . 2009-08-04 00:37 -------- d-----w- c:\program files\creytd
2009-07-30 17:35 . 2009-07-31 05:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-07-30 17:34 . 2009-07-30 17:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-30 17:34 . 2009-07-30 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 14:00 . 2009-08-07 23:41 5310 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-08-09 04:11 . 2008-12-23 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2009-08-08 00:31 . 2009-04-01 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 22:32 . 2009-04-01 04:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 22:31 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender
2009-08-07 22:31 . 2009-08-07 01:14 -------- d-----w- c:\program files\Registrar Lite
2009-08-07 22:31 . 2008-12-22 20:45 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-07 22:31 . 2009-08-07 16:30 -------- d-----w- c:\program files\ERUNT
2009-08-07 04:03 . 2009-02-03 05:20 -------- d-----w- c:\program files\Bonjour
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-18 12:56 . 2009-06-18 12:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 13:23 . 2009-05-14 13:23 111160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.
((((((((((((((((((((((((((((( SnapShot@2009-08-10_02.36.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 14:15 . 2009-08-10 14:15 16384 c:\windows\Temp\Perflib_Perfdata_330.dat
- 2008-12-22 18:40 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2008-12-22 18:40 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-02-20 08:10 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 08:10 . 2009-06-26 16:50 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
- 2009-08-10 02:31 . 2009-08-10 02:31 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 02:31 . 2009-08-10 02:31 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2004-08-04 12:00 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2009-06-26 16:50 620032 c:\windows\system32\urlmon.dll
+ 2008-12-22 19:55 . 2009-06-26 16:50 666624 c:\windows\system32\dllcache\wininet.dll
- 2008-12-22 19:55 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
- 2008-12-22 19:55 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-22 19:55 . 2009-06-26 16:50 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
- 2009-08-10 02:31 . 2009-08-10 02:31 192512 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 192512 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-10 02:31 . 2009-08-10 02:31 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-10 02:31 . 2009-08-10 02:31 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 14:12 . 2009-08-10 14:12 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2004-08-04 12:00 . 2009-07-18 16:05 1509888 c:\windows\system32\shdocvw.dll
+ 2004-08-04 12:00 . 2009-07-18 16:05 3069440 c:\windows\system32\mshtml.dll
+ 2008-12-22 19:54 . 2009-07-18 16:05 1509888 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2008-12-22 19:50 . 2009-07-18 16:05 3069440 c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-22 19:58 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
+ 2009-08-10 14:12 . 2009-08-10 14:12 16973824 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
- 2009-08-10 02:31 . 2009-08-10 02:31 16973824 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-12-23 569405]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SqlSAC.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
R2 gms-mux;Goodmail Multiplexer;c:\pmta\gmsmux\wrapper.exe -s "c:\pmta\gmsmux\config\wrapper.conf" --> c:\pmta\gmsmux\wrapper.exe -s c:\pmta\gmsmux\config\wrapper.conf [?]
R2 PMTA;PowerMTA;c:\pmta\bin\pmtawatch.exe [11/18/2008 11:29 PM 761856]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/22/2008 1:20 PM 200192]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 PortalEmailer;PortalEmailer;c:\documents and settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe [4/13/2009 9:04 PM 32768]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/29/2009 12:12 PM 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/29/2009 12:12 PM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/29/2009 12:12 PM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/29/2009 12:12 PM 59776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
2009-08-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-ares - c:\program files\Ares\Ares.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfz6iz3.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 09:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?4?0?5??P???? ???B?????????????hLC? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\pmta\gmsmux\wrapper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\pmta\jre\bin\java.exe
c:\pmta\bin\pmtad.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-08-10 9:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 14:23
ComboFix2.txt 2009-08-10 02:46
Pre-Run: 7,151,603,712 bytes free
Post-Run: 7,107,104,768 bytes free
208 --- E O F --- 2009-08-10 13:39
Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-10 10:20:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 7 GB (7%) free of 95 GB
Total RAM: 1918 MB (73% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:34 AM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\pmta\gmsmux\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\pmta\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\pmta\bin\pmtawatch.exe
C:\pmta\bin\pmtad.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229973284213
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Goodmail Multiplexer (gms-mux) - Unknown owner - C:\pmta\gmsmux\wrapper.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PowerMTA (PMTA) - Unknown owner - C:\pmta\bin\pmtawatch.exe
O23 - Service: PortalEmailer - Unknown owner - C:\Documents and Settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)
O24 - Desktop Component 0: tets - C:\WINDOWS\system32\onhelp.htm
--
End of file - 6617 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\WGASetup.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2008-12-23 161200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"= []
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\windefend]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe"="C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe"="C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe:*:Enabled:SQL Server Surface Area Configuration"
"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe"="C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe:*:Enabled:Microsoft Visual Studio 2005"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 1 months======
2009-08-10 10:11:06 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-10 10:11:06 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-10 10:11:06 ----A---- C:\WINDOWS\system32\java.exe
2009-08-10 09:24:02 ----A---- C:\ComboFix.txt
2009-08-10 09:04:53 ----A---- C:\WINDOWS\zip.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\SWSC.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\SWREG.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\sed.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\PEV.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\grep.exe
2009-08-10 09:04:49 ----SD---- C:\ComboFix
2009-08-10 08:39:38 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-08-10 08:39:33 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-08-10 08:39:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-08-10 08:37:45 ----A---- C:\WINDOWS\imsins.BAK
2009-08-10 08:37:40 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-08-09 21:50:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-09 21:25:52 ----A---- C:\Boot.bak
2009-08-09 21:25:44 ----RASHD---- C:\cmdcons
2009-08-09 21:23:12 ----D---- C:\Qoobox
2009-08-09 21:19:38 ----D---- C:\Avenger
2009-08-09 21:19:38 ----A---- C:\avenger.txt
2009-08-09 18:10:34 ----A---- C:\WINDOWS\system32\scecli.dll.kat
2009-08-08 11:18:54 ----D---- C:\Program Files\trend micro
2009-08-08 11:18:53 ----D---- C:\rsit
2009-08-08 08:52:05 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-08-07 20:00:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 18:41:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-08-07 18:18:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-07 17:49:36 ----D---- C:\WINDOWS\CSC
2009-08-07 17:31:42 ----D---- C:\Program Files\Windows Defender
2009-08-07 15:33:22 ----D---- C:\32788R22FWJFW(2)
2009-08-07 11:32:18 ----D---- C:\WINDOWS\ERDNT
2009-08-07 11:30:48 ----D---- C:\Program Files\ERUNT
2009-08-06 20:14:04 ----D---- C:\Program Files\Registrar Lite
2009-08-06 18:43:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-06 18:08:09 ----D---- C:\Program Files\Windows Defender(2)
2009-08-04 15:47:35 ----D---- C:\Program Files\Windows Antivirus Pro
2009-08-03 18:27:39 ----AD---- C:\WINDOWS\system32\images
2009-08-03 17:37:13 ----D---- C:\Program Files\creytd
======List of files/folders modified in the last 1 months======
2009-08-10 10:20:20 ----D---- C:\WINDOWS\Prefetch
2009-08-10 10:18:44 ----D---- C:\Program Files\Mozilla Firefox
2009-08-10 10:11:12 ----SHD---- C:\WINDOWS\Installer
2009-08-10 10:11:10 ----HD---- C:\Config.Msi
2009-08-10 10:11:08 ----D---- C:\WINDOWS\Temp
2009-08-10 10:11:06 ----D---- C:\WINDOWS\system32
2009-08-10 10:11:03 ----D---- C:\Program Files\Java
2009-08-10 09:24:04 ----D---- C:\WINDOWS\system32\drivers
2009-08-10 09:20:58 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-10 09:16:00 ----D---- C:\WINDOWS
2009-08-10 09:16:00 ----A---- C:\WINDOWS\system.ini
2009-08-10 09:12:55 ----D---- C:\WINDOWS\system32\config
2009-08-10 09:10:40 ----D---- C:\WINDOWS\AppPatch
2009-08-10 09:10:26 ----D---- C:\Program Files\Common Files
2009-08-10 08:59:40 ----RD---- C:\Program Files
2009-08-10 08:39:50 ----HD---- C:\WINDOWS\inf
2009-08-10 08:39:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-10 08:39:32 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-10 08:38:00 ----D---- C:\WINDOWS\Debug
2009-08-09 21:44:06 ----SD---- C:\WINDOWS\Tasks
2009-08-09 21:25:52 ----RASH---- C:\boot.ini
2009-08-09 21:19:39 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-08-08 23:11:06 ----D---- C:\Documents and Settings\Owner\Application Data\DMCache
2009-08-07 19:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 17:32:10 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-07 17:31:39 ----D---- C:\Program Files\Windows Live Safety Center
2009-08-07 17:30:50 ----D---- C:\WINDOWS\system32\Restore
2009-08-07 16:49:55 ----D---- C:\WINDOWS\Registration
2009-08-06 23:03:29 ----D---- C:\Program Files\Bonjour
2009-08-06 22:45:19 ----D---- C:\Documents and Settings
2009-08-06 20:29:43 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-06 14:25:10 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-28 22:42:45 ----D---- C:\Mailings
2009-07-25 05:23:00 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-18 11:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 11:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-04-11 1035264]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-03-10 371712]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2004-12-23 1337850]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2004-12-23 55320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-02-18 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-02-18 349696]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-03 74496]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-03-16 159488]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 apjsd7kq;apjsd7kq; C:\WINDOWS\system32\drivers\apjsd7kq.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-03-22 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-03-22 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-03-22 21744]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ; C:\WINDOWS\system32\DRIVERS\PTDUBus.sys [2008-03-11 29824]
S3 PTDUMdm;PANTECH UM175 Drivers; C:\WINDOWS\system32\DRIVERS\PTDUMdm.sys [2008-03-11 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port; C:\WINDOWS\system32\DRIVERS\PTDUVsp.sys [2008-03-11 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver; C:\WINDOWS\system32\DRIVERS\PTDUWWAN.sys [2008-03-11 59776]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-04-11 360448]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2004-12-23 254007]
R2 gms-mux;Goodmail Multiplexer; C:\pmta\gmsmux\wrapper.exe [2008-04-03 167936]
R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 PMTA;PowerMTA; C:\pmta\bin\pmtawatch.exe [2008-11-18 761856]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\shared\hpqwmi.exe [2005-03-04 98304]
S2 windefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-05 163840]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S3 MsDtsServer100;SQL Server Integration Services 10.0; C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-10 218136]
S3 PortalEmailer;PortalEmailer; C:\Documents and Settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe [2009-04-14 32768]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe []
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
_nicademas
2009-08-10, 18:16
info.txt logfile of random's system information tool 1.06 2009-08-10 10:20:35
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
ALUpdate-->"C:\Program Files\ESTsoft\ALUpdate\unins000.exe"
ALZip-->"C:\Program Files\ESTsoft\ALZip\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Broadcom 802.11 Wireless LAN Adapter-->C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant AC-Link Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C\HXFSETUP.EXE -U -IVEN_1002&DEV_4378&SUBSYS_3091103C
Dynamsoft SourceAnywhere for VSS 5.3.2 Standard Client-->MsiExec.exe /I{88C5BDC0-99D5-4BA5-90D9-B80CE0A87BC8}
HijackThis 2.0.2-->"C:\Documents and Settings\Owner\My Documents\VIRUS\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HP Help and Support-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Integrated Module with Bluetooth wireless technology-->MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP PSC & Officejet 4.2 Corporate Edition-->"C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Wireless Assistant 1.01 A2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Internet Download Manager-->C:\Program Files\Internet Download Manager\Uninstall.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
ISO Recorder-->MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
JetBrains ReSharper 4.1-->MsiExec.exe /I{D0B1DC23-A171-45D3-A3CA-97E20290D124}
K-Lite Mega Codec Pack 4.4.2-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Device Emulator version 3.0 - ENU-->MsiExec.exe /X{B32E7732-B2FB-3FD0-81AC-6025B1104C66}
Microsoft Document Explorer 2005-->C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005-->MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Document Explorer 2008-->C:\Program Files\Common Files\Microsoft Shared\Help 9\Microsoft Document Explorer 2008\install.exe
Microsoft Document Explorer 2008-->MsiExec.exe /X{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90120000-00A4-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools-->MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2008 Client Tools-->MsiExec.exe /I{4D28EFCF-5999-44D2-8D4E-AC643E76C33F}
Microsoft SQL Server 2008 Client Tools-->MsiExec.exe /I{60D46DEE-5221-47AA-B978-BA25C5D9F560}
Microsoft SQL Server 2008 Common Files-->MsiExec.exe /I{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}
Microsoft SQL Server 2008 Common Files-->MsiExec.exe /I{4A6F34E2-09E5-4616-B227-4A26A488A6F9}
Microsoft SQL Server 2008 Integration Services-->MsiExec.exe /I{40F34A1C-65A2-4163-98CE-A0D0646CABEF}
Microsoft SQL Server 2008 Integration Services-->MsiExec.exe /I{AEB03FAF-90EB-4B4F-BA32-9C4DDE2C9804}
Microsoft SQL Server 2008 Management Studio-->MsiExec.exe /I{2020045B-8DCF-4449-8D5C-EB5BA37440F1}
Microsoft SQL Server 2008 Management Studio-->MsiExec.exe /I{FA9C3624-C693-4423-8A8B-2BC2B9F607AB}
Microsoft SQL Server 2008 Native Client-->MsiExec.exe /I{D9D937B0-E842-4130-9588-B948E876904A}
Microsoft SQL Server 2008 Policies-->MsiExec.exe /I{01C5A10F-AD9B-405B-853A-6659841A1242}
Microsoft SQL Server 2008 Setup Support Files (English)-->MsiExec.exe /X{9D6D76A6-4328-49E8-97A7-531A74841DA5}
Microsoft SQL Server 2008-->"C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x86\SetupARP.exe" /x86
Microsoft SQL Server 2008-->"C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x86\SetupARP.exe" /X86
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft SQL Server Compact 3.5 SP1 Query Tools English-->MsiExec.exe /I{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft Sync Framework Runtime v1.0 (x86)-->MsiExec.exe /I{A8BD5A60-E843-46DC-8271-ABF20756BE0F}
Microsoft Sync Services for ADO.NET v2.0 (x86)-->MsiExec.exe /I{C89B00A2-B72A-4935-96FC-38796E9554EC}
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual SourceSafe 2005 - ENU-->"C:\Program Files\Microsoft Visual SourceSafe\Microsoft Visual SourceSafe 2005 - ENU\setup.exe"
Microsoft Visual Studio 2005 Professional Edition - ENU-->C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Web Application Projects-->MsiExec.exe /I{D1D2308E-B8E4-41FA-89AC-82F65B9A255A}
Microsoft Visual Studio Tools for Applications 2.0 - ENU-->MsiExec.exe /X{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}
Microsoft VM for Java-->RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
Microsoft Web Platform Installer-->MsiExec.exe /X{CA544957-00CB-4A5F-9A34-F49662C7DD5F}
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Mozilla Firefox (3.0.13)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PANTECH UM175 Driver-->C:\Program Files\PANTECH\PANTECH UM175\PTDUUninstall.exe
Power Architect 0.9.12-->"C:\Program Files\Java\jre6\bin\javaw.exe" -jar "C:\Program Files\Power Architect\uninstaller\uninstaller.jar"
PowerMTA 3.5r11-->MsiExec.exe /I{0A249E23-B6D4-4986-A0DA-27766DA0E924}
Quick Launch Buttons 5.10 B2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime Alternative 2.8.0-->"C:\Program Files\QuickTime Alternative\unins000.exe"
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {78DD9A0A-4AE1-46D0-B9A6-578EFCA47A3C} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{612DC38A-B36A-4699-88EB-12C7394DE2FC} /l1033
Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB915364)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {C20ED8A3-74AA-4F58-9A2D-7D2AB1BE3E45} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VZAccess Manager-->C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Mobile 5.0 SDK R2 for Pocket PC-->MsiExec.exe /I{6C9F6D23-E9AD-43C9-B43A-011562AAF876}
Windows Mobile 5.0 SDK R2 for Smartphone-->MsiExec.exe /I{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}
Windows PowerShell(TM) 1.0 MUI pack-->"C:\WINDOWS\$NtUninstallKB926141$\spuninst\spuninst.exe"
Windows PowerShell(TM) 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
======System event log======
Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {91FAC189-2594-472B-8950-D181887FA802}
User: OWNER-15DEC8D99\Owner
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: file:C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job;file:C:\Documents and Settings\Owner\Local Settings\Temp\a.exe;taskscheduler:C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
Alert Type: Unclassified software
Detection Type:
Record Number: 5
Source Name: WinDefend
Time Written: 20090806165513.000000-300
Event Type: warning
User:
Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {5A63BCF8-3949-47DB-AD0F-8DA1D12F6839}
User: OWNER-15DEC8D99\Owner
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: service:{79007602-0cdb-4405-9dbf-1257bb3226ed}
Alert Type: Unclassified software
Detection Type:
Record Number: 4
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:
Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {99EFD26E-A360-4C8D-93BE-CBA1E495E506}
User: OWNER-15DEC8D99\Owner
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:{79007602-0cdb-4405-9dbf-1257bb3226ed}
Alert Type: Unclassified software
Detection Type:
Record Number: 3
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:
Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {BC9800A4-326A-44FA-A021-7564581CBC08}
User: OWNER-15DEC8D99\Owner
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:{79007602-0cdb-4405-9dbf-1257bb3226ee}
Alert Type: Unclassified software
Detection Type:
Record Number: 2
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:
Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {16D2CC0B-1EBD-4C77-8356-8D42ACE3659C}
User: OWNER-15DEC8D99\Owner
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: service:{79007602-0cdb-4405-9dbf-1257bb3226ee}
Alert Type: Unclassified software
Detection Type:
Record Number: 1
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:
=====Application event log=====
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Microsoft SQL Server\90\DTS\Binn;C:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies;C:\Program Files\QuickTime Alternative\QTSystem;C:\Program Files\ESTsoft\ALZip;c:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Program Files\Microsoft SQL Server\100\DTS\Binn;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE;C:\Program Files\Microsoft SQL Server\100\Tools\Binn;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2402
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"VS80COMNTOOLS"=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
-----------------EOF-----------------
but I could not get Kaspersky online scan to run. I don't think it was because of this infection, however. I kept getting a key expired error.
In IE it wouldn't launch the applet at all, so I downloaded the latest version of Java (6.15) and was able to launch, but got the same key error.
A lot of people have been getting that error lately ???
Try this one instead
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes
Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended
There is a newer version of Adobe Acrobat Reader available.
Please go to this link Adobe Acrobat Reader Download Link (http://www.adobe.com/products/acrobat/readstep2.html)
Click Download
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts
Remove Programs
Older versions of some programs have vulnerabilities that malware can use to infect your system.
Now click Start---Control Panel. Double click Add or Remove Programs.
If any of the following programs are still listed there, click on the program to highlight it, and click on remove.
Adobe Reader 6.0.1
J2SE Runtime Environment 5.0 Update 2
Now close the Control Panel.
_nicademas
2009-08-11, 02:05
Hi Katana.
All done. And the ActiveScan completed - although you were right, it took forever! Here is the log:
Thanks !!!!
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-10 18:59:15
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.2204.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028358.sys
01471582 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP191\A0026845.exe
01491711 W32/Waledac.BK.worm Virus/Worm No 0 Yes No C:\pmta\Xfrs\dst\01c9eeafa56b9b30.msg[UPSFILE_NR67721912.zip][UPSFILE_NR67721912.exe]
01675833 Trj/SMSlock.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028364.exe
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\My Documents\Downloads\Compressed\avenger_2.zip[avenger.exe]
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\My Documents\Downloads\Compressed\avenger.zip[avenger.exe]
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\Desktop\avenger.exe
02459278 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\tapi.nfo
02460067 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028362.dll
02466615 Adware/AntivirusSystemPro Adware No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP191\A0026844.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028473.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP201\A0028753.sys
02980348 W32/Tearec.A.worm!CME-24 Virus/Worm No 1 Yes No C:\pmta\Xfrs\rz\01c9ee3db6618a52.msg[document.pif]
03042750 Bck/Bandok.BT Virus/Trojan No 1 Yes No C:\pmta\Xfrs\rz\01c9eea7c3f620aa.msg[postcard.zip][postcard.txt .scr]
03042750 Bck/Bandok.BT Virus/Trojan No 1 Yes No C:\pmta\Xfrs\rz\01c9eea585cf7530.msg[postcard.zip][postcard.htm .scr]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027976.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027605.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027407.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027689.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027688.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP193\A0026955.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027855.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027534.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location i
;===================================================================================================================================================================================
No C:\WINDOWS\system32\jdbgmgr.exe i
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description i
;===================================================================================================================================================================================
;===================================================================================================================================================================================
Right, it looks like you have some infected e-mails there.
I'm not sure if they are inbox or outbox or where, I'm not familiar with that client.
C:\pmta\Xfrs\dst\01c9eeafa56b9b30.msg[UPSFILE_NR67721912.exe]
C:\pmta\Xfrs\rz\01c9ee3db6618a52.msg[document.pif]
C:\pmta\Xfrs\rz\01c9eea7c3f620aa.msg[postcard.zip][postcard.txt .scr]
C:\pmta\Xfrs\rz\01c9eea585cf7530.msg[postcard.zip][postcard.htm .scr]
Let's check that other file, it shouldn't be being flagged.
[u]Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\system32\jdbgmgr.exe
Click Submit/Send File
When the scan has finished, you can copy the URL from the browser address window and paste it in your reply.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
_nicademas
2009-08-11, 14:07
I deleted the email msgs.
Here is the link:
http://www.virustotal.com/analisis/5b8646a0c79132250827f3443a6f9620839e9774ce76ec6b674acee23f3039d7-1247394400
Hmmm, let's have a closer look at that file, and then see if we can find a replacement.
Upload a File
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\WINDOWS\system32\jdbgmgr.exe
Go to spykiller (http://thespykiller.co.uk/index.php?board=1.0)
Please start a new thread Titled File/s for Katana and give the following information
Name:-- Your name
E-mail:-- Your E-mail (this is confidential and will not be displayed)
Subject:-- File for Katana
In the main text window please put the following link
http://forums.spybot.info/showthread.php?p=327836#post327836
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.
Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files
You can now delete SFP (exe and Zip) along with the .cab file that was created
----------------------------------------------------------------------------------------
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:dir
c:\Program Files\Windows Antivirus Pro
c:\windows\system32\images
c:\Program Files\creytd
:file
C:\WINDOWS\system32\jdbgmgr.exe
:reg
HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop /s
:filefind
jdbgmgr.exe
:comment
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
_nicademas
2009-08-11, 15:02
Hi Katana.
Below is the log. Just an fyi, I had the real-time debugger launch a couple times this morning, which concerned me. As such I ran Spybot S&D just to check if something new had started running on the sys. It found the remnants of Windows AntiVirus Pro. The directory and two reg keys. I went ahead and let SS&D remove those items.
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 07:51 on 11/08/2009 by Owner (Administrator - Elevation successful)
========== dir ==========
c:\Program Files\Windows Antivirus Pro - Unable to find folder.
c:\windows\system32\images - Parameters: "(none)"
---Files---
i1.gif --a--- 1744 bytes [23:27 03/08/2009] [22:17 21/11/2008]
i2.gif --a--- 1663 bytes [23:27 03/08/2009] [22:17 21/11/2008]
i3.gif --a--- 1689 bytes [23:27 03/08/2009] [22:17 21/11/2008]
j1.gif --a--- 3957 bytes [23:27 03/08/2009] [22:12 21/11/2008]
j2.gif --a--- 47 bytes [23:27 03/08/2009] [22:12 21/11/2008]
j3.gif --a--- 3857 bytes [23:27 03/08/2009] [23:33 27/11/2008]
jj1.gif --a--- 114 bytes [23:27 03/08/2009] [22:14 21/11/2008]
jj2.gif --a--- 48 bytes [23:27 03/08/2009] [22:14 21/11/2008]
jj3.gif --a--- 105 bytes [23:27 03/08/2009] [22:40 21/11/2008]
l1.gif --a--- 3749 bytes [23:27 03/08/2009] [21:39 21/11/2008]
l2.gif --a--- 92 bytes [23:27 03/08/2009] [21:39 21/11/2008]
l3.gif --a--- 468 bytes [23:27 03/08/2009] [21:40 21/11/2008]
pix.gif --a--- 70 bytes [23:27 03/08/2009] [22:44 21/11/2008]
t1.gif --a--- 621 bytes [23:27 03/08/2009] [21:47 21/11/2008]
t2.gif --a--- 1015 bytes [23:27 03/08/2009] [22:17 21/11/2008]
up1.gif --a--- 5568 bytes [23:27 03/08/2009] [21:28 21/11/2008]
up2.gif --a--- 696 bytes [23:27 03/08/2009] [21:29 21/11/2008]
w1.gif --a--- 3028 bytes [23:27 03/08/2009] [21:56 21/11/2008]
w11.gif --a--- 3431 bytes [23:27 03/08/2009] [22:08 21/11/2008]
w2.gif --a--- 47 bytes [23:27 03/08/2009] [21:56 21/11/2008]
w3.gif --a--- 3430 bytes [23:27 03/08/2009] [23:30 27/11/2008]
w3.jpg --a--- 1912 bytes [23:27 03/08/2009] [23:34 27/11/2008]
wt1.gif --a--- 176 bytes [23:27 03/08/2009] [21:57 21/11/2008]
wt2.gif --a--- 51 bytes [23:27 03/08/2009] [21:57 21/11/2008]
wt3.gif --a--- 119 bytes [23:27 03/08/2009] [21:57 21/11/2008]
---Folders---
None found.
c:\Program Files\creytd - Parameters: "(none)"
---Files---
None found.
---Folders---
None found.
========== file ==========
C:\WINDOWS\system32\jdbgmgr.exe - File found and opened.
MD5: 9A717FC17EA205785094CAA96C30945C
Created at 06:24 on 24/01/2009
Modified at 18:29 on 02/06/1998
Size: 14848 bytes
Attributes: --a---
FileDescription: Microsoft® Debugger Registrar for Java
FileVersion: 5.00.2752
ProductVersion: 5.00.2752
OriginalFilename: JDBGMGR.EXE
InternalName: JDbgMgr
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: Copyright © Microsoft Corp. 1996-1998
========== reg ==========
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop]
(No values found)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components]
"DeskHtmlMinorVersion"= 0x0000000005 (5)
"DeskHtmlVersion"= 0x0000000110 (272)
"GeneralFlags"= 0000000000 (0)
"Settings"= 0x0000000001 (1)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components\0]
"CurrentState"=02 00 00 40 (REG_BINARY)
"Flags"= 0x0000002000 (8192)
"FriendlyName"="tets"
"OriginalStateInfo"=18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 (REG_BINARY)
"Position"=2c 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 de 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
"RestoredStateInfo"=18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 (REG_BINARY)
"Source"="C:\WINDOWS\system32\onhelp.htm"
"SubscribedURL"="C:\WINDOWS\system32\onhelp.htm"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\General]
"BackupWallpaper"=""
"ComponentsPositioned"= 0x0000000001 (1)
"TileWallpaper"="0"
"Wallpaper"=""
"WallpaperFileTime"=00 00 00 00 00 00 00 00 (REG_BINARY)
"WallpaperLocalFileTime"=00 f8 29 17 d6 ff ff ff (REG_BINARY)
"WallpaperStyle"="2"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Old WorkAreas]
"NoOfOldWorkAreas"= 0x0000000001 (1)
"OldWorkAreaRects"=00 00 00 00 00 00 00 00 00 05 00 00 de 02 00 00 (REG_BINARY)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode]
(No values found)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode\Components]
"DeskHtmlVersion"= 0000000000 (0)
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode\General]
"VisitGallery"= 0000000000 (0)
"Wallpaper"="%SystemRoot%\Web\SafeMode.htt"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Scheme]
"Display"=""
"Edit"=""
========== filefind ==========
Searching for "jdbgmgr.exe "
No files found.
-=End Of File=-
========== file ==========
C:\WINDOWS\system32\jdbgmgr.exe - File found and opened.
========== filefind ==========
Searching for "jdbgmgr.exe "
No files found.
Now that doesn't make any sense ?
How can it not find the file if it has already opened it once ?????
Let me have a think, I'll be back shortly :bigthumb:
----------------------------------------------------------------------------------------
Step 1
OTMoveIt
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop
Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Reg
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components]
:Files
C:\WINDOWS\system32\onhelp.htm
c:\windows\system32\images
c:\Program Files\creytd
:Commands
[Purity]
[EmptyTemp]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
----------------------------------------------------------------------------------------
Step 2
Download and Run Registry Search
Download (LINK >>>) Registry Search (http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip) (<<< LINK) to your desktop.
Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
Open the new folder, and double click on regsearch.exe
In the top window copy/paste the following line
jdbgmgr
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
Please save the text file at you desktop and call it found-entries.
Paste the results in your reply
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
OTMoveIt Log
RegSearch Log
A fresh HJT log (C:\Program Files\trend micro\Owner.exe)
_nicademas
2009-08-11, 15:53
Logs as requested:
All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components\ deleted successfully.
========== FILES ==========
C:\WINDOWS\system32\onhelp.htm moved successfully.
c:\windows\system32\images moved successfully.
c:\Program Files\creytd moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 98438 bytes
->Java cache emptied: 13681514 bytes
->FireFox cache emptied: 36879139 bytes
->Google Chrome cache emptied: 5928795 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5310 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 54.00 mb
OTM by OldTimer - Version 3.0.0.6 log created on 08112009_083623
Files moved on Reboot...
Registry entries deleted on Reboot...
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 8/11/2009 8:43:33 AM for strings:
; 'jdbgmgr
* jdbgmgr
jdbgmgr'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:28 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\pmta\gmsmux\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\pmta\jre\bin\java.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\trend micro\Owner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229973284213
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)
--
End of file
After a bit more research, you don't actually need the jdbgmgr.exe file unless you develop Java programs.
OTMoveIt
Double-click OTM.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
C:\WINDOWS\system32\jdbgmgr.exe
:Commands
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTM
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
How are things running now, any problems still ?
Due to inactivity, this thread will now be closed.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.