Nasty infestation. No Anti Virus will run. (Inactive)

Hi Katana.

No dice on the rename. I ran the command then tried to run ComboFix as Winlogon.exe and it launched, the status bars completed and then it died, like before.

I do have an operating system (already installed on your computer)/reinstallation cd for windows xp prof sp 2. It says it is for a Dell, my laptop is an hp. It says only reinstall on a Dell. I don't know where this operating system cd is, I moved and apparently lost it. Can I use the Dell OS cd to install the Recovery Console? BTW, I am using XP Prof, sp3 at present on this Laptop.

Any other way to get the Recovery Console?

Thanks for the continued support!
 
We need to look for a file called scecli.dll

I'll give instructions for using a tool, but if that doesn't run you will have to try Windows Search.
(don't delete it, just find all the copies of it)

Edit --- SystemLook should work

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :filefind
scecli.dll
winnt32.exe
:comment
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Last edited:
Hello.

Here is the search log:


SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 11:30 on 09/08/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [19:31 22/12/2008] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [00:12 14/04/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 60928 bytes [12:00 04/08/2004] [00:12 14/04/2008] (Unable to calculate MD5)

Searching for "winnt32.exe"
No files found.

-=End Of File=-


Thanks again!!
 
----------------------------------------------------------------------------------------
Step 1

Delete any copy of Combofix that you have.

Download a fresh copy .... > ComboFix.exe
Download a fresh copy of MalwareBytes setup .... > Malwarebytes' Anti-Malware
Don't run them yet, they are for later.


----------------------------------------------------------------------------------------
Step 2

Avenger

Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  1. Please download The Avenger2 by SwanDog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Code: 
    Files to move:
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll|C:\Windows\System32\Scecli.dll
  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

----------------------------------------------------------------------------------------
Step 4

Now run Combofix follwed by installing/running the new MalwareBytes.
 
Last edited:
Hey Katana.

Now we're cooking with gas. Thanks so much for that !!!! Please let me know where to go from here.

I was able to run Avenger, ComboFix, and then MalwareBytes. Here are the logs in that order:


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\WINDOWS\$NtServicePackUninstall$\scecli.dll|C:\Windows\System32\Scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

================================================
ComboFix Log:

ComboFix 09-08-09.03 - Owner 08/09/2009 21:27.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1466 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\98801556.ini
c:\documents and settings\Owner\Application Data\wiaserva.log
c:\windows\Installer\189f1.msi
c:\windows\system32\mdm.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- c:\program files\trend micro
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- C:\rsit
2009-08-08 13:52 . 2009-08-08 13:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 23:08 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender(2)
2009-08-04 20:47 . 2009-08-04 20:48 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-03 23:27 . 2008-11-27 23:47 -------- d---a-w- c:\windows\system32\images
2009-08-03 22:51 . 2009-08-03 23:45 4 ----a-w- c:\windows\system32\bincd32.dat
2009-08-03 22:37 . 2009-08-04 00:37 -------- d-----w- c:\program files\creytd
2009-07-30 17:35 . 2009-07-31 05:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-07-30 17:34 . 2009-07-30 17:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-30 17:34 . 2009-07-30 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 02:40 . 2009-08-07 23:41 5310 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-08-09 04:11 . 2008-12-23 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2009-08-08 00:31 . 2009-04-01 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 22:32 . 2009-04-01 04:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 22:31 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender
2009-08-07 22:31 . 2009-08-07 01:14 -------- d-----w- c:\program files\Registrar Lite
2009-08-07 22:31 . 2008-12-22 20:45 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-07 22:31 . 2009-08-07 16:30 -------- d-----w- c:\program files\ERUNT
2009-08-07 04:03 . 2009-02-03 05:20 -------- d-----w- c:\program files\Bonjour
2009-06-18 12:56 . 2009-06-18 12:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-14 13:23 . 2009-05-14 13:23 111160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2008-12-17 887808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-12-23 569405]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SqlSAC.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=

R2 gms-mux;Goodmail Multiplexer;c:\pmta\gmsmux\wrapper.exe -s "c:\pmta\gmsmux\config\wrapper.conf" --> c:\pmta\gmsmux\wrapper.exe -s c:\pmta\gmsmux\config\wrapper.conf [?]
R2 PMTA;PowerMTA;c:\pmta\bin\pmtawatch.exe [11/18/2008 11:29 PM 761856]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/22/2008 1:20 PM 200192]
S1 aba3d60a;aba3d60a;c:\windows\system32\drivers\aba3d60a.sys --> c:\windows\system32\drivers\aba3d60a.sys [?]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 PortalEmailer;PortalEmailer;c:\documents and settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe [4/13/2009 9:04 PM 32768]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/29/2009 12:12 PM 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/29/2009 12:12 PM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/29/2009 12:12 PM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/29/2009 12:12 PM 59776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfz6iz3.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 21:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?4?0?5??????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}]
@Denied: (Full) (Everyone)
"Model"=dword:00000079
"Therad"=dword:0000001a
"MData"=hex(0):30,61,3c,66,a3,eb,ea,4b,5e,e9,80,4a,38,68,68,50,7b,7d,ce,43,86,
ef,e0,3d,3b,8a,0a,32,11,89,01,b5,8b,50,c3,71,c8,b6,78,97,c1,28,e6,e3,95,8e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):3f,3e,d0,15,73,f2,c2,65,b9,bc,55,6c,d5,de,f4,5a,5e,1c,48,cf,a7,
b0,6b,38,27,3b,f3,4d,a6,38,a5,51,8f,1e,35,42,4d,3f,aa,0e,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\pmta\gmsmux\wrapper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\pmta\jre\bin\java.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\pmta\bin\pmtad.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\windows\system32\wscntfy.exe
c:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-08-10 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 02:45

Pre-Run: 7,437,271,040 bytes free
Post-Run: 7,284,998,144 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

188 --- E O F --- 2009-06-10 13:56

================================================
MalwareBytes Log:

Malwarebytes' Anti-Malware 1.40
Database version: 2589
Windows 5.1.2600 Service Pack 3

8/9/2009 9:53:00 PM
mbam-log-2009-08-09 (21-53-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 23807
Time elapsed: 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Looking good :)
A big thanks to all the Guys and Gals that are working in the background to analyse this dross.
Without them we would still be struggling

Information

ares

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

List programs here

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.


----------------------------------------------------------------------------------------
Step 1

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
c:\windows\system32\bincd32.dat
Dir::
c:\Program Files\Windows Antivirus Pro
c:\windows\system32\images
c:\Program Files\creytd
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Ares\\Ares.exe"=-
Driver::
aba3d60a
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{68dfd01c-5335-451f-9db8-dcde4b93fef7}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
ADS::
  • Save this as CFScript.txt and place it on your desktop.


    CFScriptb.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


----------------------------------------------------------------------------------------
Step 3

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
    ( They can also be found in the C:\RSIT folder )


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Combofix Log
  • Kaspersky Log
  • RSIT Logs
  • How are things running now ?
 
Hi Katana. Thanks again for all your help, and to whomever else is assisting, many thanks.

The system is running well. As I mentioned previously though, there were no outward indications of this infection unless you began trying to run any variation of a security mechanism. As such, the only difference I am seeing is that I can actually run these programs now, where I couldn't previously.

I ran the script with ComboFix and RSIT, but I could not get Kaspersky online scan to run. I don't think it was because of this infection, however. I kept getting a key expired error. In IE it wouldn't launch the applet at all, so I downloaded the latest version of Java (6.15) and was able to launch, but got the same key error. I cleared cookies/history & restarted, but to no avail.

Here are the logs from ComboFix and RSIT. I removed an application error in the event log section of RSIT log that happened many months back and that I know for sure was not related to this or any infection. Had some specifics I didn't want out in the open if you know what I mean.

ComboFix 09-08-09.04 - Owner 08/10/2009 9:06.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1364 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\bincd32.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bincd32.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_aba3d60a


((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 02:50 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 02:50 . 2009-08-10 02:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 02:50 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- c:\program files\trend micro
2009-08-08 16:18 . 2009-08-08 16:18 -------- d-----w- C:\rsit
2009-08-08 13:52 . 2009-08-08 13:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-06 23:43 . 2009-08-06 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 23:08 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender(2)
2009-08-04 20:47 . 2009-08-04 20:48 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-03 23:27 . 2008-11-27 23:47 -------- d---a-w- c:\windows\system32\images
2009-08-03 22:37 . 2009-08-04 00:37 -------- d-----w- c:\program files\creytd
2009-07-30 17:35 . 2009-07-31 05:40 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-07-30 17:34 . 2009-07-30 17:35 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Google
2009-07-30 17:34 . 2009-07-30 17:34 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 14:00 . 2009-08-07 23:41 5310 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-08-09 04:11 . 2008-12-23 22:56 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2009-08-08 00:31 . 2009-04-01 04:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 22:32 . 2009-04-01 04:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-07 22:31 . 2009-08-07 22:31 -------- d-----w- c:\program files\Windows Defender
2009-08-07 22:31 . 2009-08-07 01:14 -------- d-----w- c:\program files\Registrar Lite
2009-08-07 22:31 . 2008-12-22 20:45 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-07 22:31 . 2009-08-07 16:30 -------- d-----w- c:\program files\ERUNT
2009-08-07 04:03 . 2009-02-03 05:20 -------- d-----w- c:\program files\Bonjour
2009-06-26 16:50 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-18 12:56 . 2009-06-18 12:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-14 13:23 . 2009-05-14 13:23 111160 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-08-10_02.36.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 14:15 . 2009-08-10 14:15 16384 c:\windows\Temp\Perflib_Perfdata_330.dat
- 2008-12-22 18:40 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2008-12-22 18:40 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-02-20 08:10 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 08:10 . 2009-06-26 16:50 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
- 2009-08-10 02:31 . 2009-08-10 02:31 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-10 02:31 . 2009-08-10 02:31 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2004-08-04 12:00 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2009-06-26 16:50 620032 c:\windows\system32\urlmon.dll
+ 2008-12-22 19:55 . 2009-06-26 16:50 666624 c:\windows\system32\dllcache\wininet.dll
- 2008-12-22 19:55 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
- 2008-12-22 19:55 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-22 19:55 . 2009-06-26 16:50 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
- 2009-08-10 02:31 . 2009-08-10 02:31 192512 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 192512 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-10 14:12 . 2009-08-10 14:12 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-10 02:31 . 2009-08-10 02:31 229376 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-10 02:31 . 2009-08-10 02:31 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-10 14:12 . 2009-08-10 14:12 229376 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2004-08-04 12:00 . 2009-07-18 16:05 1509888 c:\windows\system32\shdocvw.dll
+ 2004-08-04 12:00 . 2009-07-18 16:05 3069440 c:\windows\system32\mshtml.dll
+ 2008-12-22 19:54 . 2009-07-18 16:05 1509888 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2008-12-22 19:50 . 2009-07-18 16:05 3069440 c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-22 19:58 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe
+ 2009-08-10 14:12 . 2009-08-10 14:12 16973824 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
- 2009-08-10 02:31 . 2009-08-10 02:31 16973824 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-12-23 569405]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft SQL Server\\90\\Shared\\SqlSAC.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=

R2 gms-mux;Goodmail Multiplexer;c:\pmta\gmsmux\wrapper.exe -s "c:\pmta\gmsmux\config\wrapper.conf" --> c:\pmta\gmsmux\wrapper.exe -s c:\pmta\gmsmux\config\wrapper.conf [?]
R2 PMTA;PowerMTA;c:\pmta\bin\pmtawatch.exe [11/18/2008 11:29 PM 761856]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/22/2008 1:20 PM 200192]
S2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
S3 PortalEmailer;PortalEmailer;c:\documents and settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe [4/13/2009 9:04 PM 32768]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [1/29/2009 12:12 PM 29824]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [1/29/2009 12:12 PM 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [1/29/2009 12:12 PM 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [1/29/2009 12:12 PM 59776]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 7:01 AM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 03:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\snfz6iz3.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\Owner\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 09:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????1?4?0?5??P???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2496)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\pmta\gmsmux\wrapper.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\pmta\jre\bin\java.exe
c:\pmta\bin\pmtad.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\HPQ\shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-08-10 9:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-10 14:23
ComboFix2.txt 2009-08-10 02:46

Pre-Run: 7,151,603,712 bytes free
Post-Run: 7,107,104,768 bytes free

208 --- E O F --- 2009-08-10 13:39


Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-08-10 10:20:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 7 GB (7%) free of 95 GB
Total RAM: 1918 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:34 AM, on 8/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\pmta\gmsmux\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\pmta\jre\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\pmta\bin\pmtawatch.exe
C:\pmta\bin\pmtad.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229973284213
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Goodmail Multiplexer (gms-mux) - Unknown owner - C:\pmta\gmsmux\wrapper.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PowerMTA (PMTA) - Unknown owner - C:\pmta\bin\pmtawatch.exe
O23 - Service: PortalEmailer - Unknown owner - C:\Documents and Settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)
O24 - Desktop Component 0: tets - C:\WINDOWS\system32\onhelp.htm

--
End of file - 6617 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}]
IDMIEHlprObj Class - C:\Program Files\Internet Download Manager\IDMIECC.dll [2008-12-23 161200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-04-11 339968]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2005-02-17 233534]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2004-12-03 290816]
"hpWirelessAssistant"=C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe [2005-04-01 794624]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-04-11 46080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\windefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe"="C:\Program Files\Java\jre6\launch4j-tmp\JDownloader.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\java.exe"="C:\WINDOWS\system32\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\WINDOWS\system32\ftp.exe"="C:\WINDOWS\system32\ftp.exe:*:Enabled:File Transfer Program"
"C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\Hp\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe"="C:\Program Files\Microsoft SQL Server\90\Shared\SqlSAC.exe:*:Enabled:SQL Server Surface Area Configuration"
"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe"="C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\devenv.exe:*:Enabled:Microsoft Visual Studio 2005"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-08-10 10:11:06 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-10 10:11:06 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-10 10:11:06 ----A---- C:\WINDOWS\system32\java.exe
2009-08-10 09:24:02 ----A---- C:\ComboFix.txt
2009-08-10 09:04:53 ----A---- C:\WINDOWS\zip.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\SWSC.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\SWREG.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\sed.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\PEV.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-10 09:04:53 ----A---- C:\WINDOWS\grep.exe
2009-08-10 09:04:49 ----SD---- C:\ComboFix
2009-08-10 08:39:38 ----HDC---- C:\WINDOWS\$NtUninstallKB972260$
2009-08-10 08:39:33 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-08-10 08:39:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-08-10 08:37:45 ----A---- C:\WINDOWS\imsins.BAK
2009-08-10 08:37:40 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-08-09 21:50:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-09 21:25:52 ----A---- C:\Boot.bak
2009-08-09 21:25:44 ----RASHD---- C:\cmdcons
2009-08-09 21:23:12 ----D---- C:\Qoobox
2009-08-09 21:19:38 ----D---- C:\Avenger
2009-08-09 21:19:38 ----A---- C:\avenger.txt
2009-08-09 18:10:34 ----A---- C:\WINDOWS\system32\scecli.dll.kat
2009-08-08 11:18:54 ----D---- C:\Program Files\trend micro
2009-08-08 11:18:53 ----D---- C:\rsit
2009-08-08 08:52:05 ----D---- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2009-08-07 20:00:23 ----A---- C:\WINDOWS\ntbtlog.txt
2009-08-07 18:41:58 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2009-08-07 18:18:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-07 17:49:36 ----D---- C:\WINDOWS\CSC
2009-08-07 17:31:42 ----D---- C:\Program Files\Windows Defender
2009-08-07 15:33:22 ----D---- C:\32788R22FWJFW(2)
2009-08-07 11:32:18 ----D---- C:\WINDOWS\ERDNT
2009-08-07 11:30:48 ----D---- C:\Program Files\ERUNT
2009-08-06 20:14:04 ----D---- C:\Program Files\Registrar Lite
2009-08-06 18:43:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-06 18:08:09 ----D---- C:\Program Files\Windows Defender(2)
2009-08-04 15:47:35 ----D---- C:\Program Files\Windows Antivirus Pro
2009-08-03 18:27:39 ----AD---- C:\WINDOWS\system32\images
2009-08-03 17:37:13 ----D---- C:\Program Files\creytd

======List of files/folders modified in the last 1 months======

2009-08-10 10:20:20 ----D---- C:\WINDOWS\Prefetch
2009-08-10 10:18:44 ----D---- C:\Program Files\Mozilla Firefox
2009-08-10 10:11:12 ----SHD---- C:\WINDOWS\Installer
2009-08-10 10:11:10 ----HD---- C:\Config.Msi
2009-08-10 10:11:08 ----D---- C:\WINDOWS\Temp
2009-08-10 10:11:06 ----D---- C:\WINDOWS\system32
2009-08-10 10:11:03 ----D---- C:\Program Files\Java
2009-08-10 09:24:04 ----D---- C:\WINDOWS\system32\drivers
2009-08-10 09:20:58 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-10 09:16:00 ----D---- C:\WINDOWS
2009-08-10 09:16:00 ----A---- C:\WINDOWS\system.ini
2009-08-10 09:12:55 ----D---- C:\WINDOWS\system32\config
2009-08-10 09:10:40 ----D---- C:\WINDOWS\AppPatch
2009-08-10 09:10:26 ----D---- C:\Program Files\Common Files
2009-08-10 08:59:40 ----RD---- C:\Program Files
2009-08-10 08:39:50 ----HD---- C:\WINDOWS\inf
2009-08-10 08:39:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-10 08:39:32 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-10 08:38:00 ----D---- C:\WINDOWS\Debug
2009-08-09 21:44:06 ----SD---- C:\WINDOWS\Tasks
2009-08-09 21:25:52 ----RASH---- C:\boot.ini
2009-08-09 21:19:39 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-08-08 23:11:06 ----D---- C:\Documents and Settings\Owner\Application Data\DMCache
2009-08-07 19:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-07 17:32:10 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-08-07 17:31:39 ----D---- C:\Program Files\Windows Live Safety Center
2009-08-07 17:30:50 ----D---- C:\WINDOWS\system32\Restore
2009-08-07 16:49:55 ----D---- C:\WINDOWS\Registration
2009-08-06 23:03:29 ----D---- C:\Program Files\Bonjour
2009-08-06 22:45:19 ----D---- C:\Documents and Settings
2009-08-06 20:29:43 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-06 14:25:10 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-07-28 22:42:45 ----D---- C:\Mailings
2009-07-25 05:23:00 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-07-18 11:05:06 ----A---- C:\WINDOWS\system32\shdocvw.dll
2009-07-18 11:05:06 ----A---- C:\WINDOWS\system32\mshtml.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-08-11 39424]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-04-11 1035264]
R3 BCM43XX;Broadcom 802.11 Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-03-10 371712]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2004-12-23 1337850]
R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2004-12-23 55320]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camc6aud.sys [2005-02-18 38016]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camc6hal.sys [2005-02-18 349696]
R3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-12-15 1038208]
R3 HSFHWATI;HSFHWATI; C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2004-12-15 200192]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2005-03-03 74496]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-03-16 159488]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-12-15 703232]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 apjsd7kq;apjsd7kq; C:\WINDOWS\system32\drivers\apjsd7kq.sys []
S3 eabusb;eabusb; \??\C:\WINDOWS\system32\drivers\eabusb.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-03-22 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-03-22 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-03-22 21744]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ; C:\WINDOWS\system32\DRIVERS\PTDUBus.sys [2008-03-11 29824]
S3 PTDUMdm;PANTECH UM175 Drivers; C:\WINDOWS\system32\DRIVERS\PTDUMdm.sys [2008-03-11 41344]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port; C:\WINDOWS\system32\DRIVERS\PTDUVsp.sys [2008-03-11 39936]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver; C:\WINDOWS\system32\DRIVERS\PTDUWWAN.sys [2008-03-11 59776]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-04-11 360448]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2004-12-23 254007]
R2 gms-mux;Goodmail Multiplexer; C:\pmta\gmsmux\wrapper.exe [2008-04-03 167936]
R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 PMTA;PowerMTA; C:\pmta\bin\pmtawatch.exe [2008-11-18 761856]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R3 hpqwmi;HP WMI Interface; C:\Program Files\HPQ\shared\hpqwmi.exe [2005-03-04 98304]
S2 windefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-05 163840]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
S3 MsDtsServer100;SQL Server Integration Services 10.0; C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2008-07-10 218136]
S3 PortalEmailer;PortalEmailer; C:\Documents and Settings\Owner\My Documents\Visual Studio 2005\Projects\PortalEmailer\PortalEmailer\bin\Debug\PortalEmailer.exe [2009-04-14 32768]
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge; C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe []
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
 
info.txt logfile of random's system information tool 1.06 2009-08-10 10:20:35

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
ALUpdate-->"C:\Program Files\ESTsoft\ALUpdate\unins000.exe"
ALZip-->"C:\Program Files\ESTsoft\ALZip\unins000.exe"
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Broadcom 802.11 Wireless LAN Adapter-->C:\WINDOWS\system32\BCMWLU00.exe verbose /rootkey=Software\Broadcom\802.11\UninstallInfo
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant AC-Link Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -Iqta3091.inf
Data Fax SoftModem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C\HXFSETUP.EXE -U -IVEN_1002&DEV_4378&SUBSYS_3091103C
Dynamsoft SourceAnywhere for VSS 5.3.2 Standard Client-->MsiExec.exe /I{88C5BDC0-99D5-4BA5-90D9-B80CE0A87BC8}
HijackThis 2.0.2-->"C:\Documents and Settings\Owner\My Documents\VIRUS\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)-->C:\WINDOWS\system32\msiexec.exe /package {AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HP Help and Support-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}\setup.exe" -l0x9 -removeonly
HP Integrated Module with Bluetooth wireless technology-->MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
HP PSC & Officejet 4.2 Corporate Edition-->"C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Wireless Assistant 1.01 A2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}\setup.exe" -l0x9 hpquninst
Internet Download Manager-->C:\Program Files\Internet Download Manager\Uninstall.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
ISO Recorder-->MsiExec.exe /I{DFC6573E-124D-4026-BFA4-B433C9D3FF21}
iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
J2SE Runtime Environment 5.0 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
JetBrains ReSharper 4.1-->MsiExec.exe /I{D0B1DC23-A171-45D3-A3CA-97E20290D124}
K-Lite Mega Codec Pack 4.4.2-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Device Emulator version 1.0 - ENU-->MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Device Emulator version 3.0 - ENU-->MsiExec.exe /X{B32E7732-B2FB-3FD0-81AC-6025B1104C66}
Microsoft Document Explorer 2005-->C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005-->MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Document Explorer 2008-->C:\Program Files\Common Files\Microsoft Shared\Help 9\Microsoft Document Explorer 2008\install.exe
Microsoft Document Explorer 2008-->MsiExec.exe /X{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90120000-00A4-0409-0000-0000000FF1CE}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools-->MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2008 Client Tools-->MsiExec.exe /I{4D28EFCF-5999-44D2-8D4E-AC643E76C33F}
Microsoft SQL Server 2008 Client Tools-->MsiExec.exe /I{60D46DEE-5221-47AA-B978-BA25C5D9F560}
Microsoft SQL Server 2008 Common Files-->MsiExec.exe /I{196E77C5-F524-4B50-BD1A-2C21EEE9B8F7}
Microsoft SQL Server 2008 Common Files-->MsiExec.exe /I{4A6F34E2-09E5-4616-B227-4A26A488A6F9}
Microsoft SQL Server 2008 Integration Services-->MsiExec.exe /I{40F34A1C-65A2-4163-98CE-A0D0646CABEF}
Microsoft SQL Server 2008 Integration Services-->MsiExec.exe /I{AEB03FAF-90EB-4B4F-BA32-9C4DDE2C9804}
Microsoft SQL Server 2008 Management Studio-->MsiExec.exe /I{2020045B-8DCF-4449-8D5C-EB5BA37440F1}
Microsoft SQL Server 2008 Management Studio-->MsiExec.exe /I{FA9C3624-C693-4423-8A8B-2BC2B9F607AB}
Microsoft SQL Server 2008 Native Client-->MsiExec.exe /I{D9D937B0-E842-4130-9588-B948E876904A}
Microsoft SQL Server 2008 Policies-->MsiExec.exe /I{01C5A10F-AD9B-405B-853A-6659841A1242}
Microsoft SQL Server 2008 Setup Support Files (English)-->MsiExec.exe /X{9D6D76A6-4328-49E8-97A7-531A74841DA5}
Microsoft SQL Server 2008-->"C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x86\SetupARP.exe" /x86
Microsoft SQL Server 2008-->"C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x86\SetupARP.exe" /X86
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft SQL Server Compact 3.5 SP1 Query Tools English-->MsiExec.exe /I{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft Sync Framework Runtime v1.0 (x86)-->MsiExec.exe /I{A8BD5A60-E843-46DC-8271-ABF20756BE0F}
Microsoft Sync Services for ADO.NET v2.0 (x86)-->MsiExec.exe /I{C89B00A2-B72A-4935-96FC-38796E9554EC}
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual SourceSafe 2005 - ENU-->"C:\Program Files\Microsoft Visual SourceSafe\Microsoft Visual SourceSafe 2005 - ENU\setup.exe"
Microsoft Visual Studio 2005 Professional Edition - ENU-->C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Web Application Projects-->MsiExec.exe /I{D1D2308E-B8E4-41FA-89AC-82F65B9A255A}
Microsoft Visual Studio Tools for Applications 2.0 - ENU-->MsiExec.exe /X{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}
Microsoft VM for Java-->RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall
Microsoft Web Platform Installer-->MsiExec.exe /X{CA544957-00CB-4A5F-9A34-F49662C7DD5F}
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Mozilla Firefox (3.0.13)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PANTECH UM175 Driver-->C:\Program Files\PANTECH\PANTECH UM175\PTDUUninstall.exe
Power Architect 0.9.12-->"C:\Program Files\Java\jre6\bin\javaw.exe" -jar "C:\Program Files\Power Architect\uninstaller\uninstaller.jar"
PowerMTA 3.5r11-->MsiExec.exe /I{0A249E23-B6D4-4986-A0DA-27766DA0E924}
Quick Launch Buttons 5.10 B2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEB326EC-8F40-47B2-BA22-BB092565D66F}\setup.exe" -l0x9 -uninst
QuickTime Alternative 2.8.0-->"C:\Program Files\QuickTime Alternative\unins000.exe"
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {78DD9A0A-4AE1-46D0-B9A6-578EFCA47A3C} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515 drivers.-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{612DC38A-B36A-4699-88EB-12C7394DE2FC} /l1033
Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB915364)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {C20ED8A3-74AA-4F58-9A2D-7D2AB1BE3E45} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VZAccess Manager-->C:\PROGRA~1\VERIZO~1\VZACCE~1\UNWISE.EXE C:\PROGRA~1\VERIZO~1\VZACCE~1\INSTALL.LOG
Windows Defender-->MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Mobile 5.0 SDK R2 for Pocket PC-->MsiExec.exe /I{6C9F6D23-E9AD-43C9-B43A-011562AAF876}
Windows Mobile 5.0 SDK R2 for Smartphone-->MsiExec.exe /I{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}
Windows PowerShell(TM) 1.0 MUI pack-->"C:\WINDOWS\$NtUninstallKB926141$\spuninst\spuninst.exe"
Windows PowerShell(TM) 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======System event log======

Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {91FAC189-2594-472B-8950-D181887FA802}

User: OWNER-15DEC8D99\Owner

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: file:C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job;file:C:\Documents and Settings\Owner\Local Settings\Temp\a.exe;taskscheduler:C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

Alert Type: Unclassified software

Detection Type:

Record Number: 5
Source Name: WinDefend
Time Written: 20090806165513.000000-300
Event Type: warning
User:

Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {5A63BCF8-3949-47DB-AD0F-8DA1D12F6839}

User: OWNER-15DEC8D99\Owner

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: service:{79007602-0cdb-4405-9dbf-1257bb3226ed}

Alert Type: Unclassified software

Detection Type:

Record Number: 4
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:

Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {99EFD26E-A360-4C8D-93BE-CBA1E495E506}

User: OWNER-15DEC8D99\Owner

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: driver:{79007602-0cdb-4405-9dbf-1257bb3226ed}

Alert Type: Unclassified software

Detection Type:

Record Number: 3
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:

Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {BC9800A4-326A-44FA-A021-7564581CBC08}

User: OWNER-15DEC8D99\Owner

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: driver:{79007602-0cdb-4405-9dbf-1257bb3226ee}

Alert Type: Unclassified software

Detection Type:

Record Number: 2
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:

Computer Name: OWNER-15DEC8D99
Event Code: 3004
Message: Windows Defender Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Windows Defender can't undo changes that you allow.

For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409

Scan ID: {16D2CC0B-1EBD-4C77-8356-8D42ACE3659C}

User: OWNER-15DEC8D99\Owner

Name: Unknown

ID:

Severity: Not Yet Classified

Category: Not Yet Classified

Path Found: service:{79007602-0cdb-4405-9dbf-1257bb3226ee}

Alert Type: Unclassified software

Detection Type:

Record Number: 1
Source Name: WinDefend
Time Written: 20090806165503.000000-300
Event Type: warning
User:

=====Application event log=====



======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\Microsoft SQL Server\90\DTS\Binn;C:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies;C:\Program Files\QuickTime Alternative\QTSystem;C:\Program Files\ESTsoft\ALZip;c:\Program Files\Microsoft SQL Server\90\Tools\binn;C:\Program Files\Microsoft SQL Server\100\DTS\Binn;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE;C:\Program Files\Microsoft SQL Server\100\Tools\Binn;C:\WINDOWS\system32\WindowsPowerShell\v1.0
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 36 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2402
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"VS80COMNTOOLS"=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\

-----------------EOF-----------------
 
but I could not get Kaspersky online scan to run. I don't think it was because of this infection, however. I kept getting a key expired error.
In IE it wouldn't launch the applet at all, so I downloaded the latest version of Java (6.15) and was able to launch, but got the same key error.
Click to expand...

A lot of people have been getting that error lately ???

Try this one instead


Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK
  • Click the Scan Now button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small export to notepad button and save the report to your desktop.
  • Please post the report in your reply.

---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
Additional Notes



Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts



Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs.
If any of the following programs are still listed there, click on the program to highlight it, and click on remove.
  • Adobe Reader 6.0.1
    J2SE Runtime Environment 5.0 Update 2
Now close the Control Panel.
 
Hi Katana.

All done. And the ActiveScan completed - although you were right, it took forever! Here is the log:

Thanks !!!!

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-10 18:59:15
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.2204.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028358.sys
01471582 Adware/MalwareAlarm Adware No 1 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP191\A0026845.exe
01491711 W32/Waledac.BK.worm Virus/Worm No 0 Yes No C:\pmta\Xfrs\dst\01c9eeafa56b9b30.msg[UPSFILE_NR67721912.zip][UPSFILE_NR67721912.exe]
01675833 Trj/SMSlock.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028364.exe
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\My Documents\Downloads\Compressed\avenger_2.zip[avenger.exe]
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\My Documents\Downloads\Compressed\avenger.zip[avenger.exe]
02106838 Trj/Banbra.GIY Virus/Trojan No 1 Yes No C:\Documents and Settings\Owner\Desktop\avenger.exe
02459278 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINDOWS\system32\tapi.nfo
02460067 Generic Trojan Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028362.dll
02466615 Adware/AntivirusSystemPro Adware No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP191\A0026844.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP199\A0028473.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP201\A0028753.sys
02980348 W32/Tearec.A.worm!CME-24 Virus/Worm No 1 Yes No C:\pmta\Xfrs\rz\01c9ee3db6618a52.msg[document.pif]
03042750 Bck/Bandok.BT Virus/Trojan No 1 Yes No C:\pmta\Xfrs\rz\01c9eea7c3f620aa.msg[postcard.zip][postcard.txt .scr]
03042750 Bck/Bandok.BT Virus/Trojan No 1 Yes No C:\pmta\Xfrs\rz\01c9eea585cf7530.msg[postcard.zip][postcard.htm .scr]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027976.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027605.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027407.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027689.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027688.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP193\A0026955.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP198\A0027855.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{05FF69C1-A6C1-40DB-877E-B8276DC71785}\RP197\A0027534.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location i
;===================================================================================================================================================================================
No C:\WINDOWS\system32\jdbgmgr.exe i
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description i
;===================================================================================================================================================================================
;===================================================================================================================================================================================
 
Right, it looks like you have some infected e-mails there.
I'm not sure if they are inbox or outbox or where, I'm not familiar with that client.

C:\pmta\Xfrs\dst\01c9eeafa56b9b30.msg[UPSFILE_NR67721912.zip][UPSFILE_NR67721912.exe]
C:\pmta\Xfrs\rz\01c9ee3db6618a52.msg[document.pif]
C:\pmta\Xfrs\rz\01c9eea7c3f620aa.msg[postcard.zip][postcard.txt .scr]
C:\pmta\Xfrs\rz\01c9eea585cf7530.msg[postcard.zip][postcard.htm .scr]
Click to expand...

Let's check that other file, it shouldn't be being flagged.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\jdbgmgr.exe
Click Submit/Send File

When the scan has finished, you can copy the URL from the browser address window and paste it in your reply.

If Virustotal is too busy please try Jotti
 
Hmmm, let's have a closer look at that file, and then see if we can find a replacement.



Upload a File
Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\system32\jdbgmgr.exe

Go to spykiller

Please start a new thread Titled File/s for Katana and give the following information
  • Name:-- Your name
  • E-mail:-- Your E-mail (this is confidential and will not be displayed)
  • Subject:-- File for Katana
In the main text window please put the following link
Code: 
http://forums.spybot.info/showthread.php?p=327836#post327836
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files

You can now delete SFP (exe and Zip) along with the .cab file that was created


----------------------------------------------------------------------------------------
Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: 
    :dir
c:\Program Files\Windows Antivirus Pro
c:\windows\system32\images
c:\Program Files\creytd
:file
C:\WINDOWS\system32\jdbgmgr.exe 
:reg
HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop /s
:filefind
jdbgmgr.exe 
:comment
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Hi Katana.
Below is the log. Just an fyi, I had the real-time debugger launch a couple times this morning, which concerned me. As such I ran Spybot S&D just to check if something new had started running on the sys. It found the remnants of Windows AntiVirus Pro. The directory and two reg keys. I went ahead and let SS&D remove those items.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 07:51 on 11/08/2009 by Owner (Administrator - Elevation successful)

========== dir ==========

c:\Program Files\Windows Antivirus Pro - Unable to find folder.

c:\windows\system32\images - Parameters: "(none)"

---Files---
i1.gif --a--- 1744 bytes [23:27 03/08/2009] [22:17 21/11/2008]
i2.gif --a--- 1663 bytes [23:27 03/08/2009] [22:17 21/11/2008]
i3.gif --a--- 1689 bytes [23:27 03/08/2009] [22:17 21/11/2008]
j1.gif --a--- 3957 bytes [23:27 03/08/2009] [22:12 21/11/2008]
j2.gif --a--- 47 bytes [23:27 03/08/2009] [22:12 21/11/2008]
j3.gif --a--- 3857 bytes [23:27 03/08/2009] [23:33 27/11/2008]
jj1.gif --a--- 114 bytes [23:27 03/08/2009] [22:14 21/11/2008]
jj2.gif --a--- 48 bytes [23:27 03/08/2009] [22:14 21/11/2008]
jj3.gif --a--- 105 bytes [23:27 03/08/2009] [22:40 21/11/2008]
l1.gif --a--- 3749 bytes [23:27 03/08/2009] [21:39 21/11/2008]
l2.gif --a--- 92 bytes [23:27 03/08/2009] [21:39 21/11/2008]
l3.gif --a--- 468 bytes [23:27 03/08/2009] [21:40 21/11/2008]
pix.gif --a--- 70 bytes [23:27 03/08/2009] [22:44 21/11/2008]
t1.gif --a--- 621 bytes [23:27 03/08/2009] [21:47 21/11/2008]
t2.gif --a--- 1015 bytes [23:27 03/08/2009] [22:17 21/11/2008]
up1.gif --a--- 5568 bytes [23:27 03/08/2009] [21:28 21/11/2008]
up2.gif --a--- 696 bytes [23:27 03/08/2009] [21:29 21/11/2008]
w1.gif --a--- 3028 bytes [23:27 03/08/2009] [21:56 21/11/2008]
w11.gif --a--- 3431 bytes [23:27 03/08/2009] [22:08 21/11/2008]
w2.gif --a--- 47 bytes [23:27 03/08/2009] [21:56 21/11/2008]
w3.gif --a--- 3430 bytes [23:27 03/08/2009] [23:30 27/11/2008]
w3.jpg --a--- 1912 bytes [23:27 03/08/2009] [23:34 27/11/2008]
wt1.gif --a--- 176 bytes [23:27 03/08/2009] [21:57 21/11/2008]
wt2.gif --a--- 51 bytes [23:27 03/08/2009] [21:57 21/11/2008]
wt3.gif --a--- 119 bytes [23:27 03/08/2009] [21:57 21/11/2008]

---Folders---
None found.

c:\Program Files\creytd - Parameters: "(none)"

---Files---
None found.

---Folders---
None found.

========== file ==========

C:\WINDOWS\system32\jdbgmgr.exe - File found and opened.
MD5: 9A717FC17EA205785094CAA96C30945C
Created at 06:24 on 24/01/2009
Modified at 18:29 on 02/06/1998
Size: 14848 bytes
Attributes: --a---
FileDescription: Microsoft® Debugger Registrar for Java
FileVersion: 5.00.2752
ProductVersion: 5.00.2752
OriginalFilename: JDBGMGR.EXE
InternalName: JDbgMgr
ProductName: Microsoft® Windows® Operating System
CompanyName: Microsoft Corporation
LegalCopyright: Copyright © Microsoft Corp. 1996-1998

========== reg ==========

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop]
(No values found)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components]
"DeskHtmlMinorVersion"= 0x0000000005 (5)
"DeskHtmlVersion"= 0x0000000110 (272)
"GeneralFlags"= 0000000000 (0)
"Settings"= 0x0000000001 (1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components\0]
"CurrentState"=02 00 00 40 (REG_BINARY)
"Flags"= 0x0000002000 (8192)
"FriendlyName"="tets"
"OriginalStateInfo"=18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 (REG_BINARY)
"Position"=2c 00 00 00 00 00 00 00 00 00 00 00 00 05 00 00 de 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (REG_BINARY)
"RestoredStateInfo"=18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 (REG_BINARY)
"Source"="C:\WINDOWS\system32\onhelp.htm"
"SubscribedURL"="C:\WINDOWS\system32\onhelp.htm"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\General]
"BackupWallpaper"=""
"ComponentsPositioned"= 0x0000000001 (1)
"TileWallpaper"="0"
"Wallpaper"=""
"WallpaperFileTime"=00 00 00 00 00 00 00 00 (REG_BINARY)
"WallpaperLocalFileTime"=00 f8 29 17 d6 ff ff ff (REG_BINARY)
"WallpaperStyle"="2"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Old WorkAreas]
"NoOfOldWorkAreas"= 0x0000000001 (1)
"OldWorkAreaRects"=00 00 00 00 00 00 00 00 00 05 00 00 de 02 00 00 (REG_BINARY)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode]
(No values found)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode\Components]
"DeskHtmlVersion"= 0000000000 (0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\SafeMode\General]
"VisitGallery"= 0000000000 (0)
"Wallpaper"="%SystemRoot%\Web\SafeMode.htt"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Scheme]
"Display"=""
"Edit"=""


========== filefind ==========

Searching for "jdbgmgr.exe "
No files found.

-=End Of File=-
 
========== file ==========

C:\WINDOWS\system32\jdbgmgr.exe - File found and opened.
========== filefind ==========

Searching for "jdbgmgr.exe "
No files found.
Click to expand...

Now that doesn't make any sense ?

How can it not find the file if it has already opened it once ?????

Let me have a think, I'll be back shortly :bigthumb:
 
----------------------------------------------------------------------------------------
Step 1


OTMoveIt
Please download OTM by OldTimer and save it to your desktop
  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
Code: 
:Processes
:Reg
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components]
:Files
C:\WINDOWS\system32\onhelp.htm
c:\windows\system32\images
c:\Program Files\creytd
:Commands
[Purity]
[EmptyTemp]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


----------------------------------------------------------------------------------------
Step 2


Download and Run Registry Search
Download (LINK >>>) Registry Search (<<< LINK) to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • In the top window copy/paste the following line
    • jdbgmgr
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please save the text file at you desktop and call it found-entries.
Paste the results in your reply

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • OTMoveIt Log
  • RegSearch Log
  • A fresh HJT log (C:\Program Files\trend micro\Owner.exe)
 
Logs as requested:

All processes killed
========== PROCESSES ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\Components\ deleted successfully.
========== FILES ==========
C:\WINDOWS\system32\onhelp.htm moved successfully.
c:\windows\system32\images moved successfully.
c:\Program Files\creytd moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 98438 bytes
->Java cache emptied: 13681514 bytes
->FireFox cache emptied: 36879139 bytes
->Google Chrome cache emptied: 5928795 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5310 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 54.00 mb


OTM by OldTimer - Version 3.0.0.6 log created on 08112009_083623

Files moved on Reboot...

Registry entries deleted on Reboot...

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 8/11/2009 8:43:33 AM for strings:
; 'jdbgmgr
* jdbgmgr
jdbgmgr'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:28 AM, on 8/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\pmta\gmsmux\wrapper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\pmta\jre\bin\java.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_15.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229973284213
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe (file missing)

--
End of file
 
After a bit more research, you don't actually need the jdbgmgr.exe file unless you develop Java programs.



OTMoveIt

  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
Code: 
:Processes
:Files
C:\WINDOWS\system32\jdbgmgr.exe
:Commands
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



How are things running now, any problems still ?
 
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top