Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.win32.monderb.gen


  • This topic is locked This topic is locked
7 replies to this topic

#1 aspic

aspic

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 25 July 2008 - 09:47 PM

Hi

I am having trouble removing this trojan. Kaspersky is unable to remove it. I have Kaspersky anti-virus 7.0. Below are my reports.

Thanks so much in advance!

Rael




Deckard's System Scanner v20071014.68
Run by Rael on 2008-07-26 04:29:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Rael.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:33:56 AM, on 2008/07/26
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Ad-Aware 2008 Pro\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsTray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Sunbelt CounterSpy 2.5.1043\SBCSSvc.exe
C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mbam Malware Remover\dss.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rael.exe
C:\Program Files\Mozilla\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.soccernet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxyss.wits.ac.za:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *wits.ac.za;146.141.*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: sqvgnrpx - {1BFB720F-B45D-43FF-8AE1-54C86718DE99} - C:\Windows\sqvgnrpx.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [HWSetup] \HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN (file missing)
O13 - Gopher Prefix:
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware 2008 Pro\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt CounterSpy 2.5.1043\SBCSSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsSvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 12094 bytes

-- File Associations -----------------------------------------------------------

.js - unable to read key
.js - unable to read key
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.txt - unable to read key
.txt - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 04:32:38 0 d-------- C:\Program Files\Trend Micro
2008-07-26 04:06:14 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-26 04:05:16 0 d-------- C:\Program Files\Mbam Malware Remover
2008-07-09 20:30:03 0 d-------- C:\Users\Rael\8-6_vista32_dd_ccc_wdm_enu_64789
2008-07-03 10:35:55 0 --a------ C:\Windows\system32\SBRC.dat
2008-07-03 10:35:55 0 --a------ C:\Windows\system32\SBFC.dat
2008-07-03 10:35:08 0 d-------- C:\Users\All Users\Sunbelt Software
2008-07-02 20:24:11 0 d-------- C:\Program Files\Sunbelt CounterSpy 2.5.1043
2008-07-02 00:26:37 0 d-------- C:\Program Files\Microsoft Games
2008-06-26 19:59:26 0 d-------- C:\Users\All Users\Office Genuine Advantage


-- Find3M Report ---------------------------------------------------------------

2008-07-26 04:33:08 0 d-------- C:\Program Files\Mozilla
2008-07-26 04:19:12 12 --a------ C:\Windows\bthservsdp.dat
2008-07-26 04:06:21 0 d-------- C:\Users\Rael\AppData\Roaming\Malwarebytes
2008-07-10 13:45:56 0 d-------- C:\Program Files\Games
2008-07-09 20:28:35 0 d-------- C:\Program Files\ATI Technologies
2008-07-09 19:49:56 0 d-------- C:\Program Files\Common Files
2008-07-08 00:55:06 0 d-------- C:\Program Files\Adobe Acrobat Professional 8.10
2008-07-05 18:46:40 0 d-------- C:\Program Files\TOSHIBA
2008-07-04 14:52:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-03 10:35:12 0 d-------- C:\Users\Rael\AppData\Roaming\Sunbelt Software
2008-07-03 10:15:13 0 d-------- C:\Users\Rael\AppData\Roaming\Adobe
2008-07-02 22:06:56 0 d-------- C:\Users\Rael\AppData\Roaming\dvdcss
2008-06-24 00:13:59 0 d-------- C:\Users\Rael\AppData\Roaming\Skype
2008-06-24 00:02:07 0 d-------- C:\Users\Rael\AppData\Roaming\skypePM
2008-06-23 11:34:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-23 11:31:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-17 19:51:29 0 d-------- C:\Users\Rael\AppData\Roaming\Mozilla
2008-06-16 11:13:41 0 d-------- C:\Program Files\Ad-Aware 2008 Pro
2008-06-15 12:29:57 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-15 10:21:23 0 d-------- C:\Program Files\Google
2008-06-14 14:14:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 17:40:19 0 d-------- C:\Program Files\Windows Mail
2008-06-02 16:49:35 0 d-------- C:\Program Files\Common Files\PX Storage Engine
2008-05-26 15:41:18 0 d-------- C:\Program Files\Magic ISO Maker
2008-05-05 15:06:02 0 -rahs---- C:\MSDOS.SYS
2008-05-05 15:06:02 0 -rahs---- C:\IO.SYS


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008/01/18 11:38 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007/04/03 09:37 AM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007/04/03 09:37 AM]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006/11/06 06:14 PM]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006/03/22 10:42 PM]
"HWSetup"="\HWSetup.exe" []
"RtHDVCpl"="RtHDVCpl.exe" [2007/09/03 12:39 PM C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006/11/10 02:35 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006/09/11 04:21 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007/02/12 02:37 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007/01/01 11:22 PM]
"@"="" []
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004/08/09 06:03 AM]
"RegistryMechanic"="" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007/06/28 12:51 PM]
"ISTray"="C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\pctsTray.exe" [2008/02/01 12:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004/08/09 06:03 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"PromptOnSecureDesktop"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{33DA9E3C-935E-4EC2-977D-AFE3A3B5E727}"= C:\Windows\system32\mlJBUNDV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed1544e0-fb30-11dc-88eb-001de0a68769}]
AutoRun\command- D:\setupSNK.exe

*Newly Created Service* - SBAPIFS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-26 04:36:34 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 Duo CPU T7500 @ 2.20GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 2045.69 MiB / 1098.02 MiB
Pagefile Memory (total/avail): 4334.41 MiB / 2965.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1900.18 MiB

C: is Fixed (NTFS) - 116.44 GiB total, 66.59 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 114.98 GiB total, 70 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK2546GSX - 232.88 GiB - 3 partitions
\PARTITION0 - Unknown - 1500 MiB
\PARTITION1 (bootable) - Installable File System - 116.44 GiB - C:
\PARTITION2 - Installable File System - 114.98 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Kaspersky Anti-Virus v7.0.0.125 (Kaspersky Lab)
AS: Spyware Doctor v5.5.0.204 (PC Tools)
AS: Kaspersky Anti-Virus v7.0.0.125 (Kaspersky Lab)
AS: Sunbelt Software Sunbelt CounterSpy 2.5.1043 v2.5.1043 (Sunbelt Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Rael\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RAEL-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Rael
LOCALAPPDATA=C:\Users\Rael\AppData\Local
LOGONSERVER=\\RAEL-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\PROGRA~1\DISKEE~1.781\DISKEE~1.781\;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Rael\AppData\Local\Temp
TMP=C:\Users\Rael\AppData\Local\Temp
USERDOMAIN=Rael-PC
USERNAME=Rael
USERPROFILE=C:\Users\Rael
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Rael (admin)


-- Add/Remove Programs ---------------------------------------------------------

2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Activation Assistant for the 2007 Microsoft Office suites --> "C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.0 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> C:\Program Files\Common Files\Adobe\Installers\6c8e2cb4fd241c55406016127a6ab2e\Setup.exe
Adobe Color Common Settings --> MsiExec.exe /I{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Setup --> MsiExec.exe /I{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}
Adobe Setup --> MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
ALPS Touch Pad Driver --> C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Avanquest update --> C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\setup.exe -runfromtemp -l0x0009 -removeonly
BitLord 1.1 --> C:\Program Files\Bitlord 1.1\BitLord\uninst.exe
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Catalyst Control Center - Branding --> MsiExec.exe /I{22543949-70E8-45D0-A938-F38143EB8BF8}
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe" -l0x9
Diskeeper 2008 Pro Premier --> MsiExec.exe /X{B695F0BF-D610-4C5E-B7AC-C9FF6C172CC0}
Emdedded IR Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{A6D4234C-CB02-4048-AC3E-AD09404FA35A}
Football Manager 2008 --> "C:\Program Files\Games\Football manager 2008\Uninstall_Football Manager 2008\Uninstall Football Manager 2008.exe"
Free Games Offer, Desktop Shortcut --> MsiExec.exe /X{31DABA20-10A1-4746-9D9F-57955B8DFF66}
GMAT GRE Test --> C:\Windows\ST5UNST.EXE -n "c:\Users\Rael\Desktop\Current\Gmat\800 SCOREGMAT\GMAT 800 Score\ST5UNST.LOG"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Intel Matrix Storage Manager --> C:\Windows\system32\imsmudlg.exe -uninstall
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Lightroom --> MsiExec.exe /I{6297F8EC-D821-4B33-B845-8A8D1A0DF472}
Lizardtech DjVu Control (autoinstall) --> RunDll32 advpack.dll,LaunchINFSection C:\Windows\INF\DjVuLite.us.inf,DefaultUninstall,5
Magic ISO Maker v5.4 (build 0239) --> C:\PROGRA~1\MAGICI~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MAGICI~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Mbam Malware Remover\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office 2007 Primary Interop Assemblies --> MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components --> MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server Native Client --> MsiExec.exe /I{50A0893D-47D8-48E0-A7E8-44BCD7E4422E}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{C0D2F614-5CE5-4DCB-8678-E5C9AF7044F8}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic 7.0\Registry Mechanic v7.0.0.1010\Registry.Mechanic.v7.0.0.1010.Incl.Keymaker-TSRh\Registry Mechanic\unins000.exe"
SAS 9.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68624FB8-2512-46B5-9664-64366DCCB3EB}\setup.exe" -l0x9 uninstall
SAS Enterprise Guide 4 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E0E662A9-EDC9-4C8B-9E84-448646810926}\Setup.exe" -l0x9 -removeonly "uninstall"
SAS Private JRE (J2SE™ Java Runtime Environment 1.4.2_09) --> C:\Program Files\SAS\Shared Files\JRE\1.4.2_09\_uninst\Uninst.exe
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Shockwave --> C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony Ericsson PC Suite 3.207.00 --> C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor 5.5\Spyware Doctor 5.5.0.178 - Final UPDATED\Spyware Doctor\unins000.exe /LOG
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{DB780B85-B4B5-4864-A49C-9B706B169C93}\setup.exe -runfromtemp -l0x0409
Theme Hospital --> C:\Windows\uninst.exe -f"c:\program files\games\theme hospital\DeIsL1.isu"
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe" -l0x9
TOSHIBA ConfigFree --> C:\Program Files\InstallShield Installation Information\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}\setup.exe -runfromtemp -l0x0009 uninstall
TOSHIBA Disc Creator --> MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER --> C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center --> C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x0409
TOSHIBA Flash Cards Support Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{620BBA5E-F848-4D56-8BDA-584E44584C5E}
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
Toshiba Online Product Information --> C:\Program Files\InstallShield Installation Information\{2290A680-4083-410A-ADCC-7092C67FC052}\setup.exe -runfromtemp -l0x0009 -removeonly
TOSHIBA SD Memory Utilities --> MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLan\VLC\uninstall.exe
Virtua Tennis 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9B63540D-D942-4C38-B42E-A48AE0145970}\setup.exe" -l0x9 -removeonly
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinZip --> "C:\Program Files\Winzip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type19576 / Success
Event Submitted/Written: 07/26/2008 04:20:52 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type19575 / Success
Event Submitted/Written: 07/26/2008 04:20:50 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type19571 / Success
Event Submitted/Written: 07/26/2008 04:20:45 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type19560 / Warning
Event Submitted/Written: 07/26/2008 04:18:58 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-1808472143-2976545705-3064896536-1003_Classes:
Process 1100 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003_CLASSES

Event Record #/Type19559 / Warning
Event Submitted/Written: 07/26/2008 04:18:56 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
12 user registry handles leaked from \Registry\User\S-1-5-21-1808472143-2976545705-3064896536-1003:
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003
Process 1100 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\SystemCertificates\Root
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Policies\Microsoft\SystemCertificates
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Policies\Microsoft\SystemCertificates
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\SystemCertificates\trust
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\SystemCertificates\My
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\SystemCertificates\My
Process 3248 (\Device\HarddiskVolume2\Program Files\Diskeeper PRO PREMIERE 2008 12.0.781(NEW-with serial keys)\Diskeeper PRO PREMIERE 2008 12.0.781\DkService.exe) has opened key \REGISTRY\USER\S-1-5-21-1808472143-2976545705-3064896536-1003\Software\Microsoft\SystemCertificates\CA



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type59722 / Warning
Event Submitted/Written: 07/26/2008 04:34:15 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Rael-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Rael-PC27 can't undo changes that you allow.

For more information please see the following:
%Rael-PC275

Scan ID: {51B8242B-580A-427B-884F-C3B87DE20132}

User: Rael-PC\Rael

Name: %Rael-PC271

ID: %Rael-PC272

Severity ID: %Rael-PC273

Category ID: %Rael-PC274

Path Found: %Rael-PC276

Alert Type: %Rael-PC278

Detection Type: 1.1.1600.02

Event Record #/Type59721 / Warning
Event Submitted/Written: 07/26/2008 04:34:14 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Rael-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Rael-PC27 can't undo changes that you allow.

For more information please see the following:
%Rael-PC275

Scan ID: {8354B24D-046E-4F1D-8A5B-FE48E416D063}

User: Rael-PC\Rael

Name: %Rael-PC271

ID: %Rael-PC272

Severity ID: %Rael-PC273

Category ID: %Rael-PC274

Path Found: %Rael-PC276

Alert Type: %Rael-PC278

Detection Type: 1.1.1600.02

Event Record #/Type59720 / Warning
Event Submitted/Written: 07/26/2008 04:34:14 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Rael-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Rael-PC27 can't undo changes that you allow.

For more information please see the following:
%Rael-PC275

Scan ID: {744D3ECB-660B-47B3-89C3-86C59635391E}

User: Rael-PC\Rael

Name: %Rael-PC271

ID: %Rael-PC272

Severity ID: %Rael-PC273

Category ID: %Rael-PC274

Path Found: %Rael-PC276

Alert Type: %Rael-PC278

Detection Type: 1.1.1600.02

Event Record #/Type59719 / Warning
Event Submitted/Written: 07/26/2008 04:34:14 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Rael-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Rael-PC27 can't undo changes that you allow.

For more information please see the following:
%Rael-PC275

Scan ID: {6A6EF92C-347E-4F96-9725-6C1A1916D28E}

User: Rael-PC\Rael

Name: %Rael-PC271

ID: %Rael-PC272

Severity ID: %Rael-PC273

Category ID: %Rael-PC274

Path Found: %Rael-PC276

Alert Type: %Rael-PC278

Detection Type: 1.1.1600.02

Event Record #/Type59718 / Warning
Event Submitted/Written: 07/26/2008 04:34:10 AM
Event ID/Source: 3004 / WinDefend
Event Description:
%Rael-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Rael-PC27 can't undo changes that you allow.

For more information please see the following:
%Rael-PC275

Scan ID: {D5439557-EB14-4D9E-8098-BF0055CFCFDB}

User: Rael-PC\Rael

Name: %Rael-PC271

ID: %Rael-PC272

Severity ID: %Rael-PC273

Category ID: %Rael-PC274

Path Found: %Rael-PC276

Alert Type: %Rael-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-07-26 04:36:34 ------------


detected: Trojan program Trojan-Downloader.Win32.Delf.jpp URL h**p://dl.winspywareprotects.com/*/226.exe
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Windows\System32\mlJBUNDV.dll
not found: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Temp\tmp0000adbb
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S9DI2KGI\css4[1]
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD3HC04R\css4[1]
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Temp\tmp0000973f
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Temp\tmp0000a91a
not found: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Temp\tmp0000ae77
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Temp\tmp0000c1d7
deleted: Trojan program Trojan.Win32.Monderb.gen File: C:\Users\Rael\AppData\Local\Temp\tmp0000caec
not found: Trojan program Trojan.Win32.Monderb.gen File: C:\Windows\System32\wvUkKcAT.dll

Edited by steamwiz, 26 July 2008 - 04:36 PM.
disabled live link to malware download


BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 26 July 2008 - 04:52 PM

Hi

It looks to me as though Kaspersky has removed any Trojan.win32.monder files ...

All I see that's left is a couple of orphan registry keys ...

Even though you have Kaspersky installed,

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

ALSO...

You are running an out-of-date version of java

Go to add/remove programs and uninstall any earlier versions ... in your case :-

Java™ SE Runtime Environment 6

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 7' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 aspic

aspic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 27 July 2008 - 03:32 PM

Hey Steamwiz

Thanks so much for helping me out. I updated my Java. The problem is that my computer is still much slower than before it got infected. Firefox often just freezes and opening windows explorer takes much longer. Is there anything else you can suggest?

Thanks so much once again!

Rael



Here is the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, July 27, 2008
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, July 27, 2008 14:00:08
Records in database: 1014481
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 162341
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:54:40

No malware has been detected. The scan area is clean.

The selected area was scanned.

And here is the Malwarebytes report:

Malwarebytes' Anti-Malware 1.23
Database version: 998
Windows 6.0.6001 Service Pack 1

10:17:27 PM 2008/07/27
mbam-log-7-27-2008 (22-17-27).txt

Scan type: Quick Scan
Objects scanned: 37375
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 28 July 2008 - 02:55 PM

Hi Rael

As you can see from the scans I asked you to do, they found nothing ...

There are a couple more programs I'd like you to run, the first (Ccleaner) often helps speed up slow computers, the second is another excellent malware scanner ...

First...

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

Second...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 aspic

aspic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 04 August 2008 - 12:13 PM

Hey Steamwiz

Sorry for the delay, here is the results log from Combofix:

ComboFix 08-07-25.4 - Rael 2008-08-04 18:38:18.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1290 [GMT 2:00]
Running from: C:\Program Files\Mbam Malware Remover\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-07-04 to 2008-08-04 )))))))))))))))))))))))))))))))
.

2008-07-28 22:45 . 2008-07-28 23:09 <DIR> d-------- C:\Program Files\Maintenance
2008-07-28 11:37 . 2008-07-28 23:14 <DIR> d-------- C:\Program Files\PC Mark
2008-07-27 16:16 . 2008-07-27 16:16 <DIR> d-------- C:\Windows\Sun
2008-07-27 16:11 . 2008-07-27 16:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-26 04:32 . 2008-07-26 04:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-26 04:29 . 2008-07-26 04:29 <DIR> d-------- C:\Deckard
2008-07-26 04:06 . 2008-07-26 04:06 <DIR> d-------- C:\Users\Rael\AppData\Roaming\Malwarebytes
2008-07-26 04:06 . 2008-07-26 04:06 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-26 04:06 . 2008-07-26 04:06 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-26 04:06 . 2008-07-23 20:09 38,472 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-07-26 04:06 . 2008-07-23 20:09 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-26 04:05 . 2008-07-26 04:28 <DIR> d-------- C:\Program Files\Mbam Malware Remover
2008-07-09 20:30 . 2008-07-09 20:47 <DIR> d-------- C:\Users\Rael\8-6_vista32_dd_ccc_wdm_enu_64789

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 16:36 13,898,784 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-08-04 16:34 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-08-04 16:32 192,320 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-08-04 16:25 --------- d---a-w C:\ProgramData\TEMP
2008-08-04 13:19 --------- d-----w C:\Program Files\Mozilla
2008-08-03 22:04 --------- d-----w C:\Users\Rael\AppData\Roaming\skypePM
2008-08-03 22:04 --------- d-----w C:\Users\Rael\AppData\Roaming\Skype
2008-07-28 10:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-27 15:35 --------- d-----w C:\Program Files\Java
2008-07-25 19:30 96,559 ----a-w C:\Windows\system32\drivers\klin.dat
2008-07-25 19:30 87,855 ----a-w C:\Windows\system32\drivers\klick.dat
2008-07-10 11:45 --------- d-----w C:\Program Files\Games
2008-07-09 23:07 --------- d-----w C:\Program Files\Sunbelt CounterSpy 2.5.1043
2008-07-09 18:28 --------- d-----w C:\Program Files\ATI Technologies
2008-07-07 22:55 --------- d-----w C:\Program Files\Adobe Acrobat Professional 8.10
2008-07-05 16:46 --------- d-----w C:\Program Files\TOSHIBA
2008-07-05 12:13 --------- d-----w C:\ProgramData\Microsoft Help
2008-07-04 12:52 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-03 08:35 --------- d-----w C:\Users\Rael\AppData\Roaming\Sunbelt Software
2008-07-03 08:35 --------- d-----w C:\ProgramData\Sunbelt Software
2008-07-02 20:06 --------- d-----w C:\Users\Rael\AppData\Roaming\dvdcss
2008-07-01 22:26 --------- d-----w C:\Program Files\Microsoft Games
2008-06-26 17:59 --------- d-----w C:\ProgramData\Office Genuine Advantage
2008-06-23 09:41 --------- d-----w C:\ProgramData\CheckPoint
2008-06-23 09:34 --------- d-----w C:\ProgramData\Symantec
2008-06-23 09:34 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-16 09:13 --------- d-----w C:\Program Files\Ad-Aware 2008 Pro
2008-06-15 22:43 --------- d-----w C:\ProgramData\FLEXnet
2008-06-15 10:53 112,144 ----a-w C:\Windows\system32\drivers\kl1.sys
2008-06-15 10:29 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-15 10:27 --------- d-----w C:\ProgramData\Kaspersky Lab Setup Files
2008-06-15 08:21 --------- d-----w C:\Program Files\Google
2008-06-14 12:15 --------- d-----w C:\ProgramData\Lavasoft
2008-06-14 12:14 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-11 15:40 --------- d-----w C:\Program Files\Windows Mail
2008-05-16 09:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-03-27 18:12 174 --sha-w C:\Program Files\desktop.ini
2008-03-27 15:03 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-27 15:03 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-27 14:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-03-27 14:02 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-03-27 14:02 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 06:03 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-04-03 09:37 154392]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-04-03 09:37 133912]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 18:14 34352]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-22 22:42 438272]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 14:35 90112]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006-09-11 16:21 180224]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 14:37 174872]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 06:03 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 12:39 4702208 C:\Windows\RtHDVCpl.exe]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3DCE5E32-CD80-4DEE-ADB5-7A3982E0FC8F}"= UDP:C:\Program Files\Games\Football manager 2008\fm.exe:Football Manager 2008
"{8B1C2D10-E4E9-4D44-B1AE-FCF2ECF17A1D}"= TCP:C:\Program Files\Games\Football manager 2008\fm.exe:Football Manager 2008
"{8B3F00E8-45A6-47D5-A457-5918936683C0}"= UDP:C:\Program Files\Google\Google Talk\googletalk.exe:Google Talk
"{FA43BBD1-0567-49E0-A8D2-50F1166F0E26}"= TCP:C:\Program Files\Google\Google Talk\googletalk.exe:Google Talk
"{07084192-0128-4F67-8314-D9E506B9665F}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{8F5EFC02-0159-4204-80A7-4C7C3D051902}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{4892F51F-3D15-4EE1-BA98-4DC3E7B70254}"= UDP:C:\Program Files\ITunes\iTunes.exe:iTunes
"{7C6675EB-54E1-4188-9E32-11B4D8136A6C}"= TCP:C:\Program Files\ITunes\iTunes.exe:iTunes
"{999CD24C-4B8C-40EC-AAE9-70E8F4195E02}"= UDP:C:\Program Files\ITunes\iTunes.exe:iTunes
"{C7643CF2-CB0E-4373-BBB6-A0C0303AD251}"= TCP:C:\Program Files\ITunes\iTunes.exe:iTunes
"{5062AEC1-1C67-4A47-836B-97F37AB9ED7F}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{AD7A1C11-D000-4948-8421-2F1DB7983EF2}C:\\program files\\bitlord 1.1\\bitlord\\bitlord.exe"= UDP:C:\program files\bitlord 1.1\bitlord\bitlord.exe:BitLord
"UDP Query User{5FFE7C31-24A9-4875-A05E-0066DFAE725E}C:\\program files\\bitlord 1.1\\bitlord\\bitlord.exe"= TCP:C:\program files\bitlord 1.1\bitlord\bitlord.exe:BitLord
"{59912C95-97D6-49D8-8024-0F40C4134C69}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{CD0DD36F-84CB-4950-BFF6-52D195EB0FAC}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

R0 CplIR;Embedded IR Driver;C:\Windows\system32\DRIVERS\CplIR.SYS [2007-03-06 16:01]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 14:59]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-09-20 18:56]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-03-27 16:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed1544e0-fb30-11dc-88eb-001de0a68769}]
\shell\AutoRun\command - D:\setupSNK.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
*Newly Created Service* - SBAPIFS
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HWSetup - \HWSetup.exe
HKLM-Run-RegistryMechanic - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.soccernet.com/
R1 -: HKCU-Internet Settings,ProxyOverride = *wits.ac.za;146.141.*
R1 -: HKCU-Internet Settings,ProxyServer = proxyss.wits.ac.za:80
O8 -: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 -: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 -: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 -: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 -: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
O9 -: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redire...1&site=home
O9 -: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 18:43:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-04 18:46:07
ComboFix-quarantined-files.txt 2008-08-04 16:45:23

Pre-Run: 69,022,715,904 bytes free
Post-Run: 68,811,051,008 bytes free

170 --- E O F --- 2008-07-07 07:30:24


Anything else I can do for you?

Thanks once again...

#6 aspic

aspic
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 04 August 2008 - 12:26 PM

I found this report as well, called "bug.txt":


pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Rael\AppData\Roaming
cfldr=327882R2FWJFW
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=RAEL-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Rael
kmd=CF24108.exe
LOCALAPPDATA=C:\Users\Rael\AppData\Local
LOGONSERVER=\\RAEL-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\;C:\PROGRA~1\DISKEE~1.781\DISKEE~1.781\;C:\Program Files\Common Files\Teleca Shared
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
sfxname=C:\Program Files\Mbam Malware Remover\ComboFix.exe
system=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Rael\AppData\Local\Temp
TMP=C:\Users\Rael\AppData\Local\Temp
USERDOMAIN=Rael-PC
USERNAME=Rael
USERPROFILE=C:\Users\Rael
windir=C:\Windows

=============================================


if not defined sfxname goto END

If [] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\Users\Rael\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\Rael\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful

copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF24108.exe"
1 file(s) copied.

if not exist "C:\Windows\system32\CF24108.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF24108.exe"

For /F "tokens=*" %g in ("C:\Program Files\Mbam Malware Remover\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 1>FileName 2>nul

GREP -Gisqx "FileName=[-[:alnum:]@.]*" FileName || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | Findstr -IVX ComboFix 1>dirname00

Findstr -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf Findstr *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)

If exist "\ComboFix" rd /s/q "\ComboFix"

If exist "\ComboFix" goto :eof

swreg query "hklm\software\microsoft\windows nt\currentversion" /v currentversion 1>osVer00

GREP -sq "currentversion.* 6.0" osVer00 && (Call :Vista ) ||

type nul 1>Vista.mac

swxcacls "C:\Windows\system32\cmd.exe" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q

swxcacls "C:\Windows\system32\cmd.exe" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q

swreg query "hkcu\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>MUI00

swreg query "hku\.default\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>>MUI00

SED -r "$!N; /^(.*)\n\1$/!P; D" MUI00 1>MUI01

For /F "tokens=*" %g in (MUI01) do @if exist "C:\Windows\system32\%~g\cmd.exe.mui" (
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /oa /q
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /p /ga:f /gs:f /gp:x /gu:x /q
Copy /y "C:\Windows\system32\%~g\cmd.exe.mui" "C:\Windows\system32\en-us\CF24108.exe.mui"
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q
)

GREP -sq . MUI01 && (
del /q MUI0? 2>nul
goto :eof
)

del osVer00 2>nul

CD ..

Set "comspec=C:\Windows\system32\CF24108.exe"

(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF24108.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd

NirCmd exec hide "C:\Windows\system32\CF24108.exe" /f:off /d /c call Start_.cmd

NirCmd execmd del "\327882R2FWJFW\prep.cmd"

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 04 August 2008 - 06:27 PM

Hi

Combofix is clean :thumbsup:

The "bug.txt" is a report of some of your system data ( which may be helpful in event Combofix malfunctioned) the file also includes directions to Combofix as to what to do, and what errors to report is certain circumstances ... it all quite innocent & shows no problems.

Are you still having reports of your original problem ? because we've actually found nothing to show you have an infection ...

Run a new scan with your resident anti-virus & see if it still finds anything ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:03:35 PM

Posted 12 September 2008 - 04:52 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users