Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

c:\svchost.exe, mshta.exe disabling firewall


  • This topic is locked This topic is locked
12 replies to this topic

#1 cbedward

cbedward

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 19 December 2008 - 04:32 PM

I have some sort of infection that keeps recurring and I can't figure out how to stop it.

I found another topic (http://www.bleepingcomputer.com/forums/topic182187.html) which describes almost exactly what I am seeing.

It turns off windows firewall and creates a file in my root directory called svchost.exe, which launches many copies of itself and many copies of mshta.exe. It creates 4 files in the root directory:

c:\svchost.exe
c:\bt.bat
c:\testfile.bat
c:\script.txt

The svchost tasks seem silently make connections to sites, filling the C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 directory with all kinds of garbage.

I am able to kill the new instances of svchost.exe and mshta.exe, which then allows me to delete c:\svchost.exe and the other files in the root directory, and all the files from the ...\Content.IE5 directory.

That seems to squash it for a while, but it comes back after some time (sometimes quickly, sometimes it takes hours). It seems to come back when some files or threads are "touched" somehow. I can get the virus to reassert itself by scanning for it with Malwarebytes. I can get it to come back by searching the registry for "c:\svchost.exe". When I try to do something to find it, it makes it come back.

I have tried following the directions from the related topic, but it still keeps coming back. I use AVG Free, Malwarebytes, SpybotSD. I also tried the Panda free online scanner and ComboFix. The often find a couple infections, but they haven't been able to stop it from recurring.

-------------------------------------

Logfile of random's system information tool 1.05 (written by random/random)
Run by Craig at 2008-12-19 16:19:22
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 2 GB (3%) free of 95 GB
Total RAM: 2047 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:47 PM, on 12/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\lktsrv.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\RTProxy.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\National Instruments\LabVIEW 8.5\LabVIEW.exe
C:\Program Files\National Instruments\MAX\nimxsoffline.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Any Password\AnyPass.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Intuit\QuickBooks 2007\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~2\QBDBMgr.exe
C:\Program Files\National Instruments\LabVIEW 8.5\LabVIEW.exe
C:\Program Files\National Instruments\MAX\nimxsoffline.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\Antivirus\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Craig.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\svchost.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://russell/connectcomputer/nshelp.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181070593578
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Echelon xDriver Connection Broker (LdvxBroker) - Echelon Corporation - C:\LonWorks\bin\LdvxBroker.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Echelon Support Service for Microsoft Terminal Services (MTS) (LnsMtsSvc) - Echelon Corporation - C:\LonWorks\bin\LnsMtsSvc.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 13927 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At25.job
C:\WINDOWS\tasks\At26.job
C:\WINDOWS\tasks\At27.job
C:\WINDOWS\tasks\At28.job
C:\WINDOWS\tasks\At29.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At30.job
C:\WINDOWS\tasks\At31.job
C:\WINDOWS\tasks\At32.job
C:\WINDOWS\tasks\At33.job
C:\WINDOWS\tasks\At34.job
C:\WINDOWS\tasks\At35.job
C:\WINDOWS\tasks\At36.job
C:\WINDOWS\tasks\At37.job
C:\WINDOWS\tasks\At38.job
C:\WINDOWS\tasks\At39.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At40.job
C:\WINDOWS\tasks\At41.job
C:\WINDOWS\tasks\At42.job
C:\WINDOWS\tasks\At43.job
C:\WINDOWS\tasks\At44.job
C:\WINDOWS\tasks\At45.job
C:\WINDOWS\tasks\At46.job
C:\WINDOWS\tasks\At47.job
C:\WINDOWS\tasks\At48.job
C:\WINDOWS\tasks\At49.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At50.job
C:\WINDOWS\tasks\At51.job
C:\WINDOWS\tasks\At52.job
C:\WINDOWS\tasks\At53.job
C:\WINDOWS\tasks\At54.job
C:\WINDOWS\tasks\At55.job
C:\WINDOWS\tasks\At56.job
C:\WINDOWS\tasks\At57.job
C:\WINDOWS\tasks\At58.job
C:\WINDOWS\tasks\At59.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At60.job
C:\WINDOWS\tasks\At61.job
C:\WINDOWS\tasks\At62.job
C:\WINDOWS\tasks\At63.job
C:\WINDOWS\tasks\At64.job
C:\WINDOWS\tasks\At65.job
C:\WINDOWS\tasks\At66.job
C:\WINDOWS\tasks\At67.job
C:\WINDOWS\tasks\At68.job
C:\WINDOWS\tasks\At69.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At70.job
C:\WINDOWS\tasks\At71.job
C:\WINDOWS\tasks\At72.job
C:\WINDOWS\tasks\At73.job
C:\WINDOWS\tasks\At74.job
C:\WINDOWS\tasks\At75.job
C:\WINDOWS\tasks\At76.job
C:\WINDOWS\tasks\At77.job
C:\WINDOWS\tasks\At78.job
C:\WINDOWS\tasks\At79.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At80.job
C:\WINDOWS\tasks\At81.job
C:\WINDOWS\tasks\At82.job
C:\WINDOWS\tasks\At83.job
C:\WINDOWS\tasks\At84.job
C:\WINDOWS\tasks\At85.job
C:\WINDOWS\tasks\At86.job
C:\WINDOWS\tasks\At87.job
C:\WINDOWS\tasks\At88.job
C:\WINDOWS\tasks\At89.job
C:\WINDOWS\tasks\At9.job
C:\WINDOWS\tasks\At90.job
C:\WINDOWS\tasks\At91.job
C:\WINDOWS\tasks\At92.job
C:\WINDOWS\tasks\At93.job
C:\WINDOWS\tasks\At94.job
C:\WINDOWS\tasks\At95.job
C:\WINDOWS\tasks\At96.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-14 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-09-03 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-03 2055960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-07-03 2055960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"=C:\Program Files\HPQ\Default Settings\cpqset.exe [2003-06-03 180316]
"srmclean"=C:\Cpqs\Scom\srmclean.exe [2001-07-24 36864]
"eabconfg.cpl"=C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe [2003-07-07 274432]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-05-22 110592]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-05-22 610304]
"nwiz"=nwiz.exe /installquiet []
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-03-23 217088]
"PaperPort PTD"=C:\Program Files\Scansoft\PaperPort\pptd40nt.exe [2002-08-12 45108]
"IndexSearch"=C:\Program Files\Scansoft\PaperPort\IndexSearch.exe [2002-08-12 36864]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-06-29 286720]
"niDevMon"=C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe [2007-07-14 106064]
"DVDTray"=C:\Program Files\HP DVD\Umbrella\DVDTray.exe [2003-07-23 69632]
"DVDBitSet"=C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe [2003-07-18 204800]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-12-05 185896]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2007-08-24 33648]
"BluetoothAuthenticationAgent"=C:\WINDOWS\system32\bthprops.cpl [2008-04-13 110592]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"vmware-tray"=C:\Program Files\VMware\VMware Workstation\vmware-tray.exe [2008-05-15 72240]
"VMware hqtray"=C:\Program Files\VMware\VMware Workstation\hqtray.exe [2008-05-15 55856]
"LogMeIn GUI"=C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [2008-07-24 63048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"TomTomHOME.exe"=C:\Program Files\TomTom HOME 2\HOMERunner.exe [2008-05-06 202088]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Monitor Apache Servers.lnk - C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LMIinit]
C:\WINDOWS\system32\LMIinit.dll [2008-10-02 87352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2007-08-24 2212224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"NoDispCPL"=
"DisableDisplayControl"=0
"DisableDisplayCtrl"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoStartMenuMorePrograms"=
"NoSetFolders"=
"StartMenuLogOff"=0
"NoDrives"=0
"NoToolbarCustomize"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware"
"C:\Program Files\National Instruments\LabVIEW 7.1\LabVIEW.exe"="C:\Program Files\National Instruments\LabVIEW 7.1\LabVIEW.exe:*:Enabled:LabVIEW 7.1 Development System"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\National Instruments\LabVIEW 8.5\LabVIEW.exe"="C:\Program Files\National Instruments\LabVIEW 8.5\LabVIEW.exe:*:Enabled:LabVIEW 8.5 Development System"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\Program Files\VMware\VMware Workstation\vmware.exe"="C:\Program Files\VMware\VMware Workstation\vmware.exe:*:Enabled:VMware Workstation"
"C:\Program Files\VMware\VMware Workstation\vmplayer.exe"="C:\Program Files\VMware\VMware Workstation\vmplayer.exe:*:Enabled:VMware Player"
"C:\Program Files\National Instruments\LabVIEW 8.0\LabVIEW.exe"="C:\Program Files\National Instruments\LabVIEW 8.0\LabVIEW.exe:*:Enabled:LabVIEW 8.0 Development System"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe"="C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe:*:Enabled:QBUpdate Module"
"C:\Program Files\VMware\VMware Workstation\bin\vmware-vmx.exe"="C:\Program Files\VMware\VMware Workstation\bin\vmware-vmx.exe:*:Enabled:VMware Workstation VMX"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\WINDOWS\system32\WISPTIS.EXE"="C:\WINDOWS\system32\WISPTIS.EXE:*:Enabled:Microsoft Tablet PC Component"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Intuit\QuickBooks Pro\QBW32.EXE"="C:\Program Files\Intuit\QuickBooks Pro\QBW32.EXE:*:Enabled:QuickBooks"
"C:\WINDOWS\system32\nisvcloc.exe"="C:\WINDOWS\system32\nisvcloc.exe:*:Enabled:NI Service Locator"
"C:\Program Files\National Instruments\Real-Time Execution Trace Toolkit 2.0\rtett.exe"="C:\Program Files\National Instruments\Real-Time Execution Trace Toolkit 2.0\rtett.exe:*:Enabled:Real-Time Execution Trace Toolkit"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\National Instruments\DataSocket\cwdss.exe"="C:\Program Files\National Instruments\DataSocket\cwdss.exe:*:Enabled:National Instruments DataSocket"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21e27af9-1fd5-11dd-b22b-00904b47f55a}]
shell\AutoRun\command - E:\autorun.exe
shell\phone\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f4fe88-9409-11dc-b171-00904b47f55a}]
shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66bf31f6-bc3f-11dd-b262-005056c00008}]
shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca959636-98a3-11dd-b25a-005056c00008}]
shell\AutoRun\command - F:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe


======File associations======

.reg - open - regedit.exe "%1" %*

======List of files/folders created in the last 1 months======

2008-12-19 16:19:22 ----D---- C:\rsit
2008-12-19 13:08:53 ----RA---- C:\bt-craig.bat
2008-12-19 13:06:40 ----RA---- C:\bt.bat
2008-12-19 11:50:39 ----D---- C:\Program Files\EsetOnlineScanner
2008-12-18 16:26:14 ----D---- C:\WINDOWS\LastGood
2008-12-18 16:25:21 ----D---- C:\Program Files\Panda Security
2008-12-18 13:18:31 ----SHD---- C:\RECYCLER
2008-12-18 13:01:30 ----A---- C:\ComboFix.txt
2008-12-18 12:42:57 ----A---- C:\Boot.bak
2008-12-18 12:42:51 ----RASHD---- C:\cmdcons
2008-12-18 12:39:55 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\zip.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\VFIND.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\SWSC.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\SWREG.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\sed.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\grep.exe
2008-12-18 12:39:54 ----A---- C:\WINDOWS\fdsv.exe
2008-12-18 12:39:45 ----D---- C:\WINDOWS\ERDNT
2008-12-18 12:39:45 ----D---- C:\Qoobox
2008-12-17 03:56:28 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-17 03:50:51 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-17 03:49:39 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-17 03:49:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-01 13:28:04 ----D---- C:\Documents and Settings\Craig\Application Data\pdf995
2008-12-01 13:28:04 ----A---- C:\WINDOWS\pdf995.ini
2008-11-26 15:49:00 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-11-26 15:49:00 ----D---- C:\Program Files\SDHelper (Spybot - Search & Destroy)
2008-11-26 15:49:00 ----D---- C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-26 15:48:57 ----D---- C:\Program Files\File Scanner Library (Spybot - Search & Destroy)
2008-11-26 14:52:19 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-26 14:15:45 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-26 14:15:04 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-25 22:31:00 ----D---- C:\Documents and Settings\Craig\Application Data\Arduino

======List of files/folders modified in the last 1 months======

2008-12-19 16:19:47 ----D---- C:\WINDOWS\Temp
2008-12-19 15:54:48 ----SHD---- C:\WINDOWS\Installer
2008-12-19 15:54:48 ----D---- C:\WINDOWS\WinSxS
2008-12-19 15:53:33 ----SHD---- C:\Config.Msi
2008-12-19 15:53:31 ----D---- C:\Program Files\Paint.NET
2008-12-19 15:53:29 ----D---- C:\WINDOWS\system32
2008-12-19 15:53:21 ----RSD---- C:\WINDOWS\assembly
2008-12-19 15:40:21 ----D---- C:\Program Files
2008-12-19 15:33:10 ----A---- C:\S5.ini
2008-12-19 14:51:40 ----D---- C:\WINDOWS
2008-12-19 13:38:17 ----D---- C:\Program Files\Mozilla Thunderbird
2008-12-19 13:36:08 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-19 13:34:18 ----D---- C:\WINDOWS\Prefetch
2008-12-19 12:18:16 ----D---- C:\Program Files\Mozilla Firefox
2008-12-19 12:17:05 ----SD---- C:\WINDOWS\Tasks
2008-12-19 11:50:32 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-12-19 01:04:16 ----HD---- C:\$AVG8.VAULT$
2008-12-18 19:36:15 ----D---- C:\WINDOWS\system32\drivers
2008-12-18 16:26:16 ----HD---- C:\WINDOWS\inf
2008-12-18 16:17:17 ----D---- C:\WINDOWS\srchasst
2008-12-18 16:16:46 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-18 16:15:30 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-18 13:15:01 ----A---- C:\WINDOWS\pxisys.ini
2008-12-18 13:15:01 ----A---- C:\WINDOWS\pxiesys.ini
2008-12-18 13:14:15 ----D---- C:\Documents and Settings\Craig\Application Data\VMware
2008-12-18 13:13:54 ----D---- C:\Documents and Settings\All Users\Application Data\VMware
2008-12-18 12:50:43 ----N---- C:\WINDOWS\system.ini
2008-12-18 12:47:03 ----D---- C:\WINDOWS\system32\config
2008-12-18 12:45:05 ----D---- C:\Program Files\Common Files
2008-12-18 12:45:04 ----D---- C:\WINDOWS\AppPatch
2008-12-18 12:42:57 ----RASH---- C:\boot.ini
2008-12-18 11:38:22 ----HD---- C:\WINDOWS\$hf_mig$
2008-12-17 23:59:10 ----D---- C:\Doc
2008-12-17 15:26:06 ----D---- C:\LonWorks
2008-12-17 10:30:48 ----D---- C:\Program Files\Internet Explorer
2008-12-17 03:57:48 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-17 03:56:32 ----A---- C:\WINDOWS\imsins.BAK
2008-12-15 13:18:08 ----A---- C:\WINDOWS\ULEAD32.INI
2008-12-14 17:37:22 ----RSD---- C:\WINDOWS\Fonts
2008-12-13 01:55:05 ----A---- C:\mru.ini
2008-12-13 01:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-11 13:41:26 ----D---- C:\Projects
2008-12-09 18:24:37 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-09 13:00:01 ----A---- C:\users.ini
2008-12-05 22:44:48 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-02 23:01:53 ----D---- C:\Data
2008-12-01 13:28:06 ----D---- C:\Documents and Settings\All Users\Application Data\pdf995
2008-11-26 16:46:27 ----D---- C:\Transfer
2008-11-24 21:56:07 ----D---- C:\Documents and Settings\Craig\Application Data\AdobeUM
2008-11-24 18:32:32 ----D---- C:\Temp
2008-11-24 17:36:47 ----D---- C:\WINDOWS\Help

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-09-03 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-03 26824]
R1 eabfiltr;EABFiltr; \??\C:\WINDOWS\System32\drivers\EABFiltr.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 ApogeeIO;Apogee Port I/O; C:\WINDOWS\System32\Drivers\apogeeio.sys [2005-06-01 5314]
R2 BrPar;BrPar; C:\WINDOWS\System32\drivers\BrPar.sys [2000-07-24 19537]
R2 cvintdrv;cvintdrv; C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-07-24 4096]
R2 hcmon;VMware hcmon; \??\C:\WINDOWS\system32\Drivers\hcmon.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2008-04-13 88192]
R2 LMIInfo;LogMeIn Kernel Information Provider; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys []
R2 LMIRfsDriver;LogMeIn Remote File System Driver; \??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys []
R2 MaxImIO;MaxIm Port I/O; C:\WINDOWS\System32\Drivers\maximio.sys [2005-06-01 7610]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2002-12-11 11044]
R2 niarbk;niarbk; C:\WINDOWS\system32\drivers\niarbk.dll [2007-04-16 37376]
R2 nibffrk;nibffrk; C:\WINDOWS\system32\drivers\nibffrk.dll [2007-04-16 21504]
R2 Nidaq32k;Nidaq32k; C:\WINDOWS\system32\drivers\Nidaq32k.sys [2007-04-16 674304]
R2 nidmmk;NI DMM and Data Logger Kernel Driver; C:\WINDOWS\system32\drivers\nidmmk.dll [2007-04-16 50688]
R2 niembrtk;niembrtk; C:\WINDOWS\system32\drivers\niembrtk.sys [2004-07-08 30720]
R2 nimdsk;nimdsk; C:\WINDOWS\system32\drivers\nimdsk.dll [2007-04-16 30208]
R2 nipxirmk;nipxirmk; \??\C:\WINDOWS\system32\drivers\nipxirmkl.sys []
R2 nistck;nistck; C:\WINDOWS\system32\drivers\nistck.dll [2007-04-16 111616]
R2 NiViPxiK;NI-VISA PXI Driver; C:\WINDOWS\System32\drivers\NiViPxiKl.sys [2007-07-19 11360]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2003-05-01 30592]
R2 VMnetBridge;VMware Bridge Protocol; C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys [2008-05-15 28592]
R2 VMnetuserif;VMware Network Application Interface; \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys []
R2 VMparport;VMware VMparport; \??\C:\WINDOWS\system32\Drivers\VMparport.sys []
R2 vmx86;VMware vmx86; \??\C:\WINDOWS\system32\Drivers\vmx86.sys []
R2 VPCAppSv;Virtual PC Application Services; C:\WINDOWS\system32\DRIVERS\VPCAppSv.sys [2002-05-20 10374]
R2 vstor2;Vstor2 Virtual Storage Driver; \??\C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys []
R2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver; \??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 BCM43XX;Broadcom 802.11 OneDriver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2003-07-31 254208]
R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2007-08-30 539072]
R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2007-08-30 37424]
R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2007-08-30 876384]
R3 CAMCAUD;Conexant AMC 3D Environmental Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2003-06-12 291712]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2003-06-12 272896]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EMCR;EMCR; C:\WINDOWS\System32\DRIVERS\EMCR7SK.sys [2003-08-15 68480]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys [2008-07-24 10144]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nidimk;nidimk; \??\C:\WINDOWS\system32\drivers\nidimkl.sys []
R3 niesrk;niesrk; \??\C:\WINDOWS\system32\drivers\niesrkl.sys []
R3 nimdbgk;nimdbgk; \??\C:\WINDOWS\system32\drivers\nimdbgkl.sys []
R3 nimru2k;nimru2k; \??\C:\WINDOWS\system32\drivers\nimru2kl.sys []
R3 nimstsk;nimstsk; \??\C:\WINDOWS\system32\drivers\nimstskl.sys []
R3 nimxdfk;nimxdfk; \??\C:\WINDOWS\system32\drivers\nimxdfkl.sys []
R3 niorbk;niorbk; \??\C:\WINDOWS\system32\drivers\niorbkl.sys []
R3 nixsrk;nixsrk; \??\C:\WINDOWS\system32\drivers\nixsrkl.sys []
R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\System32\DRIVERS\nscirda.sys [2008-04-13 28672]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-06-24 1326203]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-09-19 10368]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\System32\DRIVERS\point32.sys [2005-03-15 20352]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-05-22 273072]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 vmkbd;VMware kbd; \??\C:\WINDOWS\system32\drivers\VMkbd.sys []
R3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys [2008-05-15 16816]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
S3 BTHMODEM;Bluetooth Serial Communications Driver; C:\WINDOWS\system32\DRIVERS\bthmodem.sys [2008-04-13 37888]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
S3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2007-08-30 149123]
S3 btwhid;btwhid; C:\WINDOWS\system32\DRIVERS\btwhid.sys [2007-08-30 55352]
S3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2007-08-30 67960]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 eabusb;eabusb; \??\C:\WINDOWS\System32\drivers\eabusb.sys []
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver; C:\WINDOWS\System32\Drivers\FTD2XX.sys [2005-02-28 29404]
S3 FTDIBUS;MiniCSU-3 USB Driver; C:\WINDOWS\system32\drivers\ftdibus.sys [2006-05-18 47249]
S3 FTSER2K;MiniCSU-3 USB Serial Port Driver; C:\WINDOWS\system32\drivers\ftser2k.sys [2006-05-18 61067]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000; C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys [2004-01-05 1080832]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-05-01 1107200]
S3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-05-01 165504]
S3 lvalarmk;lvalarmk; \??\C:\WINDOWS\system32\drivers\lvalarmk.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 ni1006k;NI PXI-1006 Chassis Pilot; \??\C:\WINDOWS\system32\drivers\ni1006k.sys []
S3 ni1045k;NI PXI-1045 Chassis Pilot; \??\C:\WINDOWS\system32\drivers\ni1045kl.sys []
S3 ni1065k;NI PXIe-1065 Chassis Pilot; \??\C:\WINDOWS\system32\drivers\ni1065k.sys []
S3 ni488lock;NI-488.2 Locking Service; \??\C:\WINDOWS\system32\drivers\ni488lock.sys []
S3 nicdrk;nicdrk; \??\C:\WINDOWS\system32\drivers\nicdrkl.sys []
S3 nidmxfk;nidmxfk; \??\C:\WINDOWS\system32\drivers\nidmxfkl.sys []
S3 nidsark;nidsark; \??\C:\WINDOWS\system32\drivers\nidsarkl.sys []
S3 nidwgk;nidwgk; \??\C:\WINDOWS\system32\drivers\nidwgkl.sys []
S3 niemrk;niemrk; \??\C:\WINDOWS\system32\drivers\niemrkl.sys []
S3 niemrkw;niemrkw; C:\WINDOWS\system32\DRIVERS\niemrkw.sys [2007-07-24 11336]
S3 nifslk;nifslk; \??\C:\WINDOWS\system32\drivers\nifslkl.sys []
S3 nigplk;nigplk; \??\C:\WINDOWS\system32\drivers\nigplkl.sys []
S3 nihsdrk;nihsdrk; \??\C:\WINDOWS\system32\drivers\nihsdrkl.sys []
S3 nimsdrk;nimsdrk; \??\C:\WINDOWS\system32\drivers\nimsdrkl.sys []
S3 nimslk;nimslk; \??\C:\WINDOWS\system32\drivers\nimslk.dll []
S3 nimsrlk;nimsrlk; \??\C:\WINDOWS\system32\drivers\nimsrlk.dll []
S3 nimxpk;nimxpk; \??\C:\WINDOWS\system32\drivers\nimxpkl.sys []
S3 ninshsdk;ninshsdk; \??\C:\WINDOWS\system32\drivers\ninshsdkl.sys []
S3 nipalfwedl;nipalfwedl; C:\WINDOWS\System32\drivers\nipalfwedl.sys [2007-07-18 11904]
S3 nipalusbedl;nipalusbedl; C:\WINDOWS\System32\drivers\nipalusbedl.sys [2007-07-18 11896]
S3 nipsdk;nipsdk; \??\C:\WINDOWS\system32\drivers\nipsdkl.sys []
S3 nipxigpk;NI PXI Generic Chassis Pilot; \??\C:\WINDOWS\system32\drivers\nipxigpk.sys []
S3 nirfsa2k;nirfsa2k; \??\C:\WINDOWS\system32\drivers\nirfsa2kl.sys []
S3 niscdk;niscdk; \??\C:\WINDOWS\system32\drivers\niscdkl.sys []
S3 nisdigk;nisdigk; \??\C:\WINDOWS\system32\drivers\nisdigkl.sys []
S3 nisftk;nisftk; \??\C:\WINDOWS\system32\drivers\nisftkl.sys []
S3 nisldk;nisldk; \??\C:\WINDOWS\system32\drivers\nisldkl.sys []
S3 nispdk;nispdk; \??\C:\WINDOWS\system32\drivers\nispdkl.sys []
S3 nisrcdk;nisrcdk; \??\C:\WINDOWS\system32\drivers\nisrcdkl.sys []
S3 nissrk;nissrk; \??\C:\WINDOWS\system32\drivers\nissrkl.sys []
S3 nistc2k;nistc2k; \??\C:\WINDOWS\system32\drivers\nistc2kl.sys []
S3 nistcrk;nistcrk; \??\C:\WINDOWS\system32\drivers\nistcrkl.sys []
S3 niswdk;niswdk; \??\C:\WINDOWS\system32\drivers\niswdkl.sys []
S3 nitiork;nitiork; \??\C:\WINDOWS\system32\drivers\nitiorkl.sys []
S3 nitnr2k;nitnr2k; \??\C:\WINDOWS\system32\drivers\nitnr2kl.sys []
S3 NiViFWK;NI-VISA FireWire Driver; C:\WINDOWS\System32\drivers\NiViFWKl.sys [2007-07-19 11384]
S3 NiViPciK;NI-VISA PCI Driver; C:\WINDOWS\System32\drivers\NiViPciKl.sys [2007-07-19 11360]
S3 niwdk;niwdk; C:\WINDOWS\system32\drivers\niwdk.sys [2007-07-14 19456]
S3 niwfrk;niwfrk; \??\C:\WINDOWS\system32\drivers\niwfrkl.sys []
S3 nixsrkw;nixsrkw; C:\WINDOWS\system32\DRIVERS\nixsrkw.sys [2007-07-24 11336]
S3 OM2800;USB2.0 PC Camera; C:\WINDOWS\System32\Drivers\ovtcam2.sys [2002-08-15 250343]
S3 pdaq;Personal Daq 55/56; C:\WINDOWS\System32\Drivers\pdaq.sys [2004-03-09 15360]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
S3 Ser2pl;ATEN USB to Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2003-07-16 43264]
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\System32\DRIVERS\sermouse.sys [2001-08-17 17664]
S3 slabbus;CP210x USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\slabbus.sys [2004-12-16 55312]
S3 slabser;CP210x USB to UART Bridge Controller Drivers; C:\WINDOWS\system32\DRIVERS\slabser.sys [2004-12-16 89808]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 usb6xxxk;usb6xxxk; \??\C:\WINDOWS\system32\drivers\usb6xxxkl.sys []
S3 usb6xxxkw;usb6xxxkw; C:\WINDOWS\system32\DRIVERS\usb6xxxkw.sys [2007-07-16 11312]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vmusb;VMware USB Client Driver; C:\WINDOWS\System32\Drivers\vmusb.sys [2008-05-15 30768]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-05-01 622848]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apache2;Apache2; C:\Program Files\Apache Group\Apache2\bin\Apache.exe [2005-04-16 20541]
R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-03 231704]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service; C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
R2 btwdins;Bluetooth Service; C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe [2007-04-01 273256]
R2 LkCitadelServer;Lookout Citadel Server; C:\WINDOWS\system32\lkcitdl.exe [2007-03-21 695136]
R2 lkClassAds;National Instruments PSP Server Locator; C:\WINDOWS\system32\lkads.exe [2007-07-16 40488]
R2 lkTimeSync;National Instruments Time Synchronization; C:\WINDOWS\system32\lktsrv.exe [2007-07-16 50736]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS); C:\LonWorks\bin\LnsMtsSvc.exe [2005-04-06 57400]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 335872]
R2 mxssvr;NI Configuration Manager; C:\Program Files\National Instruments\MAX\nimxs.exe [2007-03-08 12696]
R2 ni488enumsvc;NI-488.2 Enumeration Service; C:\WINDOWS\system32\nipalsm.exe [2007-02-16 12696]
R2 nidevldu;NI Device Loader; C:\WINDOWS\system32\nipalsm.exe [2007-02-16 12696]
R2 NIDomainService;National Instruments Domain Service; C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe [2007-07-16 213040]
R2 nipxirmu;NI PXI Resource Manager; C:\WINDOWS\system32\nipalsm.exe [2007-02-16 12696]
R2 niRTProxy;niRTProxy; C:\WINDOWS\system32\RTProxy.exe [2005-05-23 77824]
R2 niSvcLoc;NI Service Locator; C:\WINDOWS\system32\nisvcloc.exe [2007-07-19 48704]
R2 NITaggerService;National Instruments Variable Engine; C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe [2007-07-23 609384]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\System32\nvsvc32.exe [2003-06-24 73728]
R2 RetroLauncher;Retrospect Launcher; C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe [2005-06-10 73728]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 VMnetDHCP;VMware DHCP Service; C:\WINDOWS\system32\vmnetdhcp.exe [2008-05-15 121392]
R2 vmount2;VMware Virtual Mount Manager Extended; C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe [2007-03-23 269104]
R2 VMware NAT Service;VMware NAT Service; C:\WINDOWS\system32\vmnat.exe [2008-05-15 150064]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S2 Retrospect Helper;Retrospect Helper; C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe [2005-06-10 118784]
S2 VMAuthdService;VMware Authorization Service; C:\Program Files\VMware\VMware Workstation\vmware-authd.exe [2008-05-15 109104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-04 163840]
S3 LdvxBroker;Echelon xDriver Connection Broker; C:\LonWorks\bin\LdvxBroker.exe [2005-04-06 57402]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 NILM License Manager;NILM License Manager; C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe [2007-01-29 1007616]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 OpcEnum;OpcEnum; C:\WINDOWS\system32\OpcEnum.exe [2007-05-09 98304]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2006-11-09 65536]
S3 ufad-ws60;VMware Agent Service; C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe [2007-11-30 186928]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 LMIMaint;LogMeIn Maintenance Service; C:\Program Files\LogMeIn\x86\RaMaint.exe [2008-10-16 116032]
S4 LogMeIn;LogMeIn; C:\Program Files\LogMeIn\x86\LogMeIn.exe [2008-07-24 63040]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 msvsmon80;Visual Studio 2005 Remote Debugger; C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]
S4 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt --defaults-file=C:\Program Files\MySQL\MySQL Server 4.1\my.ini MySQL []
S4 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-03-18 20480]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:26 AM

Posted 20 December 2008 - 09:20 AM

Hello cbedward,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm and everything will be just alright.

I will be analyzing your log. I will get back to you.

With Regards,
mas_pogi

Edited by mas_pogi, 20 December 2008 - 09:20 AM.


#3 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:26 AM

Posted 20 December 2008 - 12:54 PM

hi.


One or more of the identified infections is a password/info stealer.

This allows hackers to steal critical system information.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

If you want to continue please do the following instructions below;

Lets start your malware cleanup :thumbsup:
  • Please delete the old combofix.exe at your desktop or any copy of combofix.exe you have. Delete it.

  • I see you are running Teatimer.
    I suggest you to disable it because it can interfere with the changes you'll make on your system.
    When everything is done and your log is clean again, you can enable it again.
    If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    How to disable TeaTimer <== click me for instructions.
    After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
    Doubleclick ResetTeaTimer.bat and let it run.
    This will only take a few seconds.

  • Download Combofix from any of the links below. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    Posted Image

    Posted Image
    --------------------------------------------------------------------
    Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Double click on ComboFix.exe & follow the prompts.When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt
hijackthis log


Mark

Edited by mas_pogi, 21 December 2008 - 04:50 AM.


#4 cbedward

cbedward
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 21 December 2008 - 05:32 PM

Logs are attached inline below.

A couple of other notes:
1. I attempted to disable TeaTimer, but it was not enabled. SDHelper and TeaTimer from SpyBot were both disabled. I have not disabled them previously, so either I never turned them on in the first place or they were turned off by the virus or one of the virus scanners I used to try to remove my current virus.
2. When I start HJT, I get an error:
Error #5 - Invalid procedure call or argument, modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
3. There are a few files in the root directory that I created:
C:\bt.bat
C:\testfile.bat
C:\svchost.exe (not a real EXE, it was deleted by combofix)
(and backup copies)
I made these files as dummy files (the only thing in them is a note that they are dummy files) and I made them read-only in an attempt to stop the virus from writing it's own versions.

----------------------------------------------------------------------------------
ComboFix 08-12-21.01 - Craig 2008-12-21 16:13:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.985 [GMT -5:00]
Running from: c:\downloads\Antivirus\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 15:52 . 2008-12-20 00:04 37 -ra------ C:\Copy of svchost.exe
2008-12-20 00:05 . 2008-12-20 00:05 <DIR> d--h----- c:\windows\PIF
2008-12-20 00:04 . 2008-12-20 00:04 38 -ra------ C:\Copy of testfile.bat
2008-12-20 00:01 . 2008-12-20 00:04 38 -ra------ C:\testfile.bat
2008-12-19 17:05 . 2008-12-19 17:04 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-19 16:19 . 2008-12-19 16:21 <DIR> d-------- C:\rsit
2008-12-19 13:08 . 2008-12-19 13:07 37 -ra------ C:\bt-craig.bat
2008-12-19 13:06 . 2008-12-19 13:07 37 -ra------ C:\bt.bat
2008-12-18 16:26 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-18 16:25 . 2008-12-18 16:25 <DIR> d-------- c:\program files\Panda Security
2008-12-01 13:28 . 2008-12-01 13:28 <DIR> d-------- c:\documents and settings\Craig\Application Data\pdf995
2008-12-01 13:28 . 2008-12-01 13:28 28 --a------ c:\windows\pdf995.ini
2008-11-26 18:49 . 2008-11-26 18:55 566 --a------ C:\Virus112608_disablesfirewall.zip
2008-11-26 15:49 . 2008-11-26 15:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-26 15:49 . 2008-11-26 15:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-26 15:49 . 2008-11-26 15:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-26 15:48 . 2008-11-26 15:48 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-26 12:58 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-26 12:53 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-25 22:31 . 2008-11-25 22:31 <DIR> d-------- c:\documents and settings\Craig\Application Data\Arduino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 20:45 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-20 04:21 --------- d-----w c:\program files\MSDN
2008-12-20 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 04:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 04:11 --------- d-----w c:\program files\Java
2008-12-20 03:53 --------- d-----w c:\documents and settings\Craig\Application Data\VMware
2008-12-20 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-19 20:53 --------- d-----w c:\program files\Paint.NET
2008-12-18 18:13 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-12-06 03:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-01 18:28 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-11-25 02:56 --------- d-----w c:\documents and settings\Craig\Application Data\AdobeUM
2008-11-03 18:36 --------- d-----w c:\program files\Microsoft Windows Small Business Server
2008-11-01 16:16 --------- d-----w c:\program files\LogMeIn
2008-11-01 16:11 --------- d-----w c:\program files\7-Zip
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Squid
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\strmdll.dll
2008-10-02 23:46 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll
2008-10-02 23:45 87,352 ----a-w c:\windows\system32\LMIinit.dll
2008-10-02 23:45 28,984 ----a-w c:\windows\system32\LMIport.dll
2008-10-02 23:45 23,736 ----a-w c:\windows\system32\lmimirr.dll
2008-10-02 23:45 10,040 ----a-w c:\windows\system32\lmimirr2.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 21:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-08-09 02:57 13,012 ----a-w c:\documents and settings\Craig\Bubblets.dat
2008-01-27 06:43 13,012 ----a-w c:\documents and settings\Craig\Bubblets2.dat
2007-09-12 01:04 56,912 ----a-w c:\documents and settings\Craig\g2mdlhlpx.exe
2007-07-17 15:38 88,761 ----a-w c:\windows\inf\pxiclean.exe
2007-08-09 18:08 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
2004-03-15 21:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 13:36 114,688 ----a-w c:\program files\internet explorer\plugins\LV7ActiveXControl.dll
2006-01-23 14:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 23:03 118,784 ----a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2001-11-30 23:26 98,304 ----a-w c:\program files\internet explorer\plugins\LVActiveXControl.dll
2008-09-03 01:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-18_13.00.33.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:11:59 3,166,208 -c--a-w c:\windows\system32\dllcache\msgr3en.dll
+ 2008-04-14 00:12:06 58,434 -c--a-w c:\windows\system32\dllcache\srchctls.dll
+ 2008-04-14 00:12:07 726,078 -c--a-w c:\windows\system32\dllcache\srchui.dll
- 2007-09-25 05:30:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-19 22:04:58 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-25 05:30:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-19 22:04:58 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-25 06:31:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-19 22:04:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-02-05 13:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
+ 2008-12-20 03:50:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-06-03 180316]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-07 274432]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"niDevMon"="c:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-07-14 106064]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 69632]
"DVDBitSet"="c:\program files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-05 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-15 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-05-15 55856]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Msn"="c:\svchost.exe" [BU]
"MsnHost"="c:\svchost.exe" [BU]
"MsnLoad"="c:\svchost.exe" [BU]
"MsnConvert"="c:\svchost.exe" [BU]
"MsnMessendger"="c:\svchost.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 568176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-04-16 41042]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]
SmartUI.lnk - c:\program files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 1568768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableDisplayControl"= 0 (0x0)
"DisableDisplayCtrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-02 18:45 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.FFDS"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 8.5\\LabVIEW.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmplayer.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\bin\\vmware-vmx.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\WISPTIS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBW32.EXE"=
"c:\\WINDOWS\\system32\\nisvcloc.exe"=
"c:\\Program Files\\National Instruments\\Real-Time Execution Trace Toolkit 2.0\\rtett.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\National Instruments\\DataSocket\\cwdss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8080:TCP"= 8080:TCP:ActiTIME
"1723:TCP"= 1723:TCP:S5 VPN
"50042:TCP"= 50042:TCP:SCPIComm50042
"6342:TCP"= 6342:TCP:LabVIEW example
"6352:TCP"= 6352:TCP:6352
"3000:TCP"= 3000:TCP:3000
"50043:TCP"= 50043:TCP:SCPIComm50043

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-07-10 15448]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-18 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-11 97928]
R2 ApogeeIO;Apogee Port I/O;c:\windows\system32\Drivers\apogeeio.sys [2005-06-01 5314]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-11 231704]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-09-18 47640]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [2005-04-06 57400]
R2 MaxImIO;MaxIm Port I/O;c:\windows\system32\Drivers\maximio.sys [2005-06-01 7610]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2007-02-16 12696]
R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2007-04-16 37376]
R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2007-04-16 21504]
R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\Nidaq32k.sys [2007-04-16 674304]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2007-02-16 12696]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2007-04-16 50688]
R2 niembrtk;niembrtk;c:\windows\system32\drivers\niembrtk.sys [2004-07-08 30720]
R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2007-04-16 30208]
R2 nipxirmk;nipxirmk;\??\c:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]
R2 niRTProxy;niRTProxy;c:\windows\system32\RTProxy.exe c:\windows\system32\RTProxy.exe -s []
R2 nistck;nistck;c:\windows\system32\drivers\nistck.dll [2007-04-16 111616]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-07-19 11360]
R2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\DRIVERS\VPCAppSv.sys [2002-05-20 10374]
R3 EMCR;EMCR;c:\windows\system32\DRIVERS\EMCR7SK.sys [2007-06-05 68480]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 nidimk;nidimk;\??\c:\windows\system32\drivers\nidimkl.sys [2007-07-12 11360]
R3 niesrk;niesrk;\??\c:\windows\system32\drivers\niesrkl.sys [2007-07-24 11336]
R3 nimru2k;nimru2k;\??\c:\windows\system32\drivers\nimru2kl.sys [2007-07-24 11360]
R3 nimstsk;nimstsk;\??\c:\windows\system32\drivers\nimstskl.sys [2007-07-13 11360]
R3 nixsrk;nixsrk;\??\c:\windows\system32\drivers\nixsrkl.sys [2007-07-24 11336]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2005-02-28 29404]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\DRIVERS\hpusbwdm.sys [2004-01-05 1080832]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [2005-04-06 57402]
S3 lvalarmk;lvalarmk;\??\c:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]
S3 ni1006k;NI PXI-1006 Chassis Pilot;\??\c:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;\??\c:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;\??\c:\windows\system32\drivers\ni1065k.sys [2007-05-25 22360]
S3 ni488lock;NI-488.2 Locking Service;\??\c:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]
S3 nicdrk;nicdrk;\??\c:\windows\system32\drivers\nicdrkl.sys [2007-07-15 11352]
S3 nidmxfk;nidmxfk;\??\c:\windows\system32\drivers\nidmxfkl.sys [2007-07-13 11336]
S3 nidsark;nidsark;\??\c:\windows\system32\drivers\nidsarkl.sys [2007-07-19 11344]
S3 nidwgk;nidwgk;\??\c:\windows\system32\drivers\nidwgkl.sys [2007-02-23 11552]
S3 niemrk;niemrk;\??\c:\windows\system32\drivers\niemrkl.sys [2007-07-24 11336]
S3 niemrkw;niemrkw;c:\windows\system32\DRIVERS\niemrkw.sys [2007-09-18 11336]
S3 nifslk;nifslk;\??\c:\windows\system32\drivers\nifslkl.sys [2007-07-15 11352]
S3 nigplk;nigplk;\??\c:\windows\system32\drivers\nigplkl.sys [2007-02-23 11552]
S3 nihsdrk;nihsdrk;\??\c:\windows\system32\drivers\nihsdrkl.sys [2007-07-24 11352]
S3 nimsdrk;nimsdrk;\??\c:\windows\system32\drivers\nimsdrkl.sys [2007-07-18 11392]
S3 nimslk;nimslk;\??\c:\windows\system32\drivers\nimslk.dll [2007-06-20 14464]
S3 nimsrlk;nimsrlk;\??\c:\windows\system32\drivers\nimsrlk.dll [2007-06-20 151683]
S3 nimxpk;nimxpk;\??\c:\windows\system32\drivers\nimxpkl.sys [2007-07-13 11368]
S3 ninshsdk;ninshsdk;\??\c:\windows\system32\drivers\ninshsdkl.sys [2007-07-19 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-07-18 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-07-18 11896]
S3 nipsdk;nipsdk;\??\c:\windows\system32\drivers\nipsdkl.sys [2007-07-24 11552]
S3 nipxigpk;NI PXI Generic Chassis Pilot;\??\c:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]
S3 nirfsa2k;nirfsa2k;\??\c:\windows\system32\drivers\nirfsa2kl.sys [2007-06-30 11552]
S3 niscdk;niscdk;\??\c:\windows\system32\drivers\niscdkl.sys [2007-07-19 11376]
S3 nisdigk;nisdigk;\??\c:\windows\system32\drivers\nisdigkl.sys [2007-07-16 11352]
S3 nisftk;nisftk;\??\c:\windows\system32\drivers\nisftkl.sys [2007-07-16 11344]
S3 nisldk;nisldk;\??\c:\windows\system32\drivers\nisldkl.sys [2007-06-15 11624]
S3 nispdk;nispdk;\??\c:\windows\system32\drivers\nispdkl.sys [2007-07-19 11376]
S3 nisrcdk;nisrcdk;\??\c:\windows\system32\drivers\nisrcdkl.sys [2007-06-01 11552]
S3 nissrk;nissrk;\??\c:\windows\system32\drivers\nissrkl.sys [2007-07-24 11336]
S3 nistc2k;nistc2k;\??\c:\windows\system32\drivers\nistc2kl.sys [2007-07-15 11312]
S3 nistcrk;nistcrk;\??\c:\windows\system32\drivers\nistcrkl.sys [2007-07-15 11360]
S3 niswdk;niswdk;\??\c:\windows\system32\drivers\niswdkl.sys [2007-07-17 11336]
S3 nitiork;nitiork;\??\c:\windows\system32\drivers\nitiorkl.sys [2007-07-18 11360]
S3 nitnr2k;nitnr2k;\??\c:\windows\system32\drivers\nitnr2kl.sys [2007-02-23 11552]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-07-19 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-07-19 11360]
S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [2007-07-14 19456]
S3 niwfrk;niwfrk;\??\c:\windows\system32\drivers\niwfrkl.sys [2007-07-24 11336]
S3 nixsrkw;nixsrkw;c:\windows\system32\DRIVERS\nixsrkw.sys [2007-07-24 11336]
S3 OM2800;USB2.0 PC Camera;c:\windows\system32\Drivers\ovtcam2.sys [2007-07-14 250343]
S3 pdaq;Personal Daq 55/56;c:\windows\system32\Drivers\pdaq.sys [2008-02-15 15360]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys []
S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\DRIVERS\usb6xxxkw.sys [2007-09-18 11312]
S4 LMIRfsClientNP;LMIRfsClientNP; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21e27af9-1fd5-11dd-b22b-00904b47f55a}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f4fe88-9409-11dc-b171-00904b47f55a}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66bf31f6-bc3f-11dd-b262-005056c00008}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca959636-98a3-11dd-b25a-005056c00008}]
\Shell\AutoRun\command - f:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
FF - ProfilePath - c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\gna66vox.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-amo&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 16:18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h?M??????? ??TB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-21 16:23:55
ComboFix-quarantined-files.txt 2008-12-21 21:23:16
ComboFix2.txt 2008-12-18 18:01:30

Pre-Run: 5,844,418,560 bytes free
Post-Run: 5,834,350,592 bytes free

342 --- E O F --- 2008-12-18 16:39:38


-----------------------------------------------------------------------
2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Flash Animator 4 Release 5
Adobe Acrobat 6.0 Professional
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Allway Sync version 6.3.9
Any Password 1.42
Apache HTTP Server 2.0.54
Apple Software Update
Astyle CSS editor 3.0 Beta 4
AutoIt v3.2.0.1
AVG Free 8.0
Bistia Camera Wrapper
Broadcom 802.11
Brother HL-2070N
Brother MFL-Pro Suite
Business Contact Manager for Outlook 2007 SP1
CmdHere Powertoy For Windows XP
ComTest
Conexant 56K ACLink Modem
Conexant AC-Link Audio
CP210x USB to UART Bridge Controller
Crystal Button 2.8
DiskUsageAnalyzer
Echelon OpenLDV 2.1
Emulator Driver for Visual Studio .NET 2003
ffdshow [rev 1928] [2008-04-10]
FileZilla (remove only)
Freez Screen Video Capture v1.2
Galil DMC Setup
Galil DMC Smart Terminal
Galil Driver and Communication dll v7 Installation
GDR 3068 for SQL Server Database Services 2005 ENU (KB948109)
GDR 3068 for SQL Server Tools and Workstation Components 2005 ENU (KB948109)
GIMP 2.4.2
Google SketchUp 6
GoToMeeting/GoToWebinar 3.0.0.198
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP DC3000
HP DVD Movie Writer
HP Software Update
IDM Toolbox 4
InterVideo WinDVD
ISO Recorder
IVI Shared Component
IVI Shared Components
Java™ 6 Update 11
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1
LogMeIn
Malwarebytes' Anti-Malware
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft FrontPage Client - English
Microsoft IntelliPoint 5.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio .NET Professional 2003 - English
Microsoft Visual Studio 2005 Professional Edition - ENU
MicroStrain Agile-Link
MiniCSU-3 USB Drivers
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.18)
MSDN Library for Visual Studio 2005
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
muvee autoProducer DVD Edition - HPC
MySQL Administrator 1.0
MySQL Query Browser 1.1
MySQL Server 4.1
National Instruments Software
Nero OEM
NI-488.2 2.5
NI-488.2 for LabVIEW Real-Time 2.52
NI-488.2 Provider for MAX
NI-653x Installer 1.7.0
NI-APAL Error Files 1.2.0f0
NI-BROADCOM57XX 2.1.0f1 for Phar Lap ETS
NI-DAQ C and VB6 API
NI-DAQ CVI API
NI-DAQ Document Set
NI-DAQ INF Files
NI-DAQ Provider for MAX
NI-DAQmx - LabVIEW shared documentation
NI-DAQmx 8.6
NI-DAQmx Documentation
NI-DAQmx MAX Support 1.9.0
NI-DAQmx OPC Support
NI-DAQmx support for LabVIEW
NI-DAQmx support for LabVIEW RT and LabWindows/CVI RT
NI-DAQmx Switch Core 1.12.0
NI-DCPower 1.1.2
NI-DIM 1.3.0f0 for Phar Lap ETS
NI-DIM 1.6.0f0 for Phar Lap ETS
NI-DIM 1.7.0f0
NI-DIM 1.7.0f0 for Phar Lap ETS
NI-DIO Driver 151f0
NI-DMM 2.7.2
NI-Embedded RT 1.0.1
NI-Embedded RT Provider 1.1 for MAX
NI-FGEN 2.4.6
NI-FGEN Driver 146f1
NI-FieldPoint 6.0
NI-FieldPoint for LabVIEW Real-Time 5.0
NI-FieldPoint for LabVIEW Real-Time 5.0.1
NI-FieldPoint for LabVIEW Real-Time 6.0
NI-HSD Driver 182f1
NI-HSDIO 1.5.2
NI-Intel8254x for LabVIEW Real-Time
NI-INTEL8255X 2.1.0f0 for Phar Lap ETS
NI-IRDA 1.0.2f0 for Phar Lap ETS
NI-IVI Provider for MAX
NI-MDBG 1.6.0f0 for Phar Lap ETS
NI-MDBG 1.7.0f0
NI-MDBG 1.7.0f0 for Phar Lap ETS
NI-MRU 2.7.0f0 for Phar Lap ETS
NI-MRU 2.8.0f1
NI-MRU 2.8.0f1 for Phar Lap ETS
NI-MXDF 1.7.0f0 for Phar Lap ETS
NI-MXDF 1.8.0f0
NI-MXDF 1.8.0f0 for Phar Lap ETS
NI-MXLC 1.0.0f1
NI-ORB 1.3.0f2 for Phar Lap ETS
NI-ORB 1.6.0f0 for Phar Lap ETS
NI-ORB 1.7.0f0
NI-ORB 1.7.0f0 for Phar Lap ETS
NI-PAL 1.10.0f0 for Phar Lap ETS
NI-PAL 2.0.0f0 for Phar Lap ETS
NI-PAL 2.1.0f1
NI-PAL 2.1.0f1 for Phar Lap ETS
NI-RFSA 2.0.6
NI-RFSG 1.2.6
NI-RPC 3.2.1f0 for Phar Lap ETS
NI-RPC 3.3.1f0 for Phar Lap ETS
NI-RPC 3.4.0f1
NI-RPC 3.4.0f1 for Phar Lap ETS
NI-SCOPE 3.3.2
NI-Serial 3.3
NI-Serial 3.3 for LabVIEW Real-Time
NI-Serial 3.3 Help
NI-Serial 3.3 MAX Provider
NI-SMC9 1.2.0f0 for Phar Lap ETS
NI-STE10/100A 2.1.0f0 for Phar Lap ETS
NI-STE10/100A 2.1.0f2 for Phar Lap ETS
NI-SWITCH 3.6
NI-TClk 1.6.1
NI-TNF 1.3.3f0 for Phar Lap ETS
NI-TNF 1.4.0f0 for Phar Lap ETS
NI-TNF 1.4.1f0 for Phar Lap ETS
NI-TNR Driver
NI-Tuner 1.6.6
NI-VISA 4.1 for LabVIEW Real-Time
NI-VISA 4.2
NI-VISA 4.2 for LabVIEW Real-Time
NI-VISA 4.2 MAX Provider
NI-VISA for LabVIEW Real-Time 3.4.1
NI-VISA Runtime 4.2
NI-VISA Server 4.2
NI-Watchdog 2.2.1f9
NI AFW Channel Configuration Tool
NI Assistant Framework
NI Assistant Framework LabVIEW Code Generator 6.1
NI Assistant Framework LabVIEW Code Generator 7.0
NI Assistant Framework LabVIEW Code Generator 7.1
NI Assistant Framework LabVIEW Code Generator 8.0
NI Assistant Framework LabVIEW Code Generator 8.2
NI Assistant Framework LabVIEW Code Generator 8.5
NI BIOS Updater
NI Calibration Provider for MAX
NI Certificates Deployment Support
NI Common Digital 1.7.1
NI CVI Instrument Driver Wizard Templates 8.1
NI DAQ Assistant 1.7.0
NI DataSocket 4.5.0
NI Datasocket for LabVIEW Real-Time
NI DHV DCMP Installer 108f1
NI DHV GPL 108f1
NI Distribution Information - PDS English
NI DN 2.0 installer
NI Dynamic Signal Acquisition Installer 1.10.0
NI Enhanced DSC Deployment Support 8.2
NI EULA Depot
NI Example Finder 8.5
NI ExpressWorkbench 2.0 LabVIEW Support
NI FieldPoint MAX Provider
NI Fusion Standard Library Installer 1.5.1
NI Help Assistant
NI Hierarchical Waveform Storage 1.4.5
NI Instrument I/O Assistant
NI Instrument IO Assistant for LabVIEW 7.1
NI Instrument IO Assistant for LabVIEW 8.0
NI Instrument IO Assistant for LabVIEW 8.2
NI Instrument IO Assistant for LabVIEW 8.5
NI IO Server Provider
NI IVI Class Driver CVI Support
NI IVI Class Driver LabVIEW 8.2 Support
NI IVI Class Driver LabVIEW 8.5 Support
NI IVI Class Driver Wrappers for LabVIEW 7.1
NI IVI Class Drivers
NI IVI Class Simulation Drivers
NI IVI Compliance Package 3.1
NI IVI Engine
NI IVI Installer Creator
NI IVI Online Help
NI IVI Specific Driver Test Suite
NI LabVIEW 7.1
NI LabVIEW 7.1 Core Essentials
NI LabVIEW 7.1.1 Real-Time Update
NI LabVIEW 8.0
NI LabVIEW 8.0 Activity
NI LabVIEW 8.0 Applibs
NI LabVIEW 8.0 CINtools
NI LabVIEW 8.0 Device Detection and Deployment Support
NI LabVIEW 8.0 Examples
NI LabVIEW 8.0 gMath
NI LabVIEW 8.0 Help
NI LabVIEW 8.0 Help File
NI LabVIEW 8.0 iMath
NI LabVIEW 8.0 Instr.lib
NI LabVIEW 8.0 Manuals
NI LabVIEW 8.0 MeasAppChm File
NI LabVIEW 8.0 Menus
NI LabVIEW 8.0 Project
NI LabVIEW 8.0 Resource
NI LabVIEW 8.0 Simulation
NI LabVIEW 8.0 Templates
NI LabVIEW 8.0 User.lib
NI LabVIEW 8.0 VI.lib
NI LabVIEW 8.0 WWW
NI LabVIEW 8.2 Device Detection and Deployment Support
NI LabVIEW 8.2 Help
NI LabVIEW 8.2 Help File
NI LabVIEW 8.2 Manuals
NI LabVIEW 8.2 MeasAppChm File
NI LabVIEW 8.2.1
NI LabVIEW 8.2.1 Activity
NI LabVIEW 8.2.1 Applibs
NI LabVIEW 8.2.1 CINtools
NI LabVIEW 8.2.1 Examples
NI LabVIEW 8.2.1 gMath
NI LabVIEW 8.2.1 iMath
NI LabVIEW 8.2.1 Instr.lib
NI LabVIEW 8.2.1 License
NI LabVIEW 8.2.1 Menus
NI LabVIEW 8.2.1 Project
NI LabVIEW 8.2.1 Real-Time
NI LabVIEW 8.2.1 Real-Time Module
NI LabVIEW 8.2.1 Real-Time Target Support Files
NI LabVIEW 8.2.1 Resource
NI LabVIEW 8.2.1 Simulation
NI LabVIEW 8.2.1 Templates
NI LabVIEW 8.2.1 User.lib
NI LabVIEW 8.2.1 VI.lib
NI LabVIEW 8.2.1 WWW
NI LabVIEW 8.5
NI LabVIEW 8.5 Applibs
NI LabVIEW 8.5 CINtools
NI LabVIEW 8.5 Device Detection and Deployment Support
NI LabVIEW 8.5 Examples
NI LabVIEW 8.5 gMath
NI LabVIEW 8.5 Help
NI LabVIEW 8.5 Help File
NI LabVIEW 8.5 iMath
NI LabVIEW 8.5 Instr.lib
NI LabVIEW 8.5 License
NI LabVIEW 8.5 Manuals
NI LabVIEW 8.5 MeasAppChm File
NI LabVIEW 8.5 Menus
NI LabVIEW 8.5 Project
NI LabVIEW 8.5 Real-Time
NI LabVIEW 8.5 Real-Time Module
NI LabVIEW 8.5 Real-Time Target Support Files
NI LabVIEW 8.5 Resource
NI LabVIEW 8.5 Simulation
NI LabVIEW 8.5 Templates
NI LabVIEW 8.5 User.lib
NI LabVIEW 8.5 VI.lib
NI LabVIEW 8.5 WWW
NI LabVIEW Advanced Analysis 7.1
NI LabVIEW Application Builder 7.1
NI LabVIEW Broker
NI LabVIEW C Interface
NI LabVIEW Deployable License 8.0
NI LabVIEW Deployable License 8.2
NI LabVIEW Deployable License 8.5.0
NI LabVIEW FTP Client
NI LabVIEW Full 7.1
NI LabVIEW MAX XML
NI LabVIEW Merge Utility 8.5.0
NI LabVIEW Picture Control and CIN Tools 7.1
NI LabVIEW Professional Tools 7.1
NI LabVIEW Real-Time Error Dialog
NI LabVIEW Real-Time FIFO for Runtime
NI LabVIEW Real-Time files for cRIO-900x (705F)
NI LabVIEW Real-Time Support for cFP-21xx (7115)
NI LabVIEW Real-Time Support for Compact Vision (7046)
NI LabVIEW Real-Time Support for cRIO-901x (718F)
NI LabVIEW Real-Time Support for cRIO-907x (71C7)
NI LabVIEW Real-Time Support for Desktop PC (719C)
NI LabVIEW Real-Time Support for FieldPoint (E001)
NI LabVIEW Real-Time Support for PXI-8106 (7309)
NI LabVIEW Real-Time Support for PXI-814x (7002)
NI LabVIEW Real-Time Support for PXI-8156B and 817x (E002)
NI LabVIEW Real-Time Support for PXI-8184 (7151)
NI LabVIEW Real-Time Support for PXI-8186 and 8187 (7063)
NI LabVIEW Real-Time Support for PXI-8190 (7175)
NI LabVIEW Real-Time Support for PXIe-8130 (7313)
NI LabVIEW Real-Time VxWorks Common Support for PPC603
NI LabVIEW RealTime Deployment Support
NI LabVIEW RT Proxy
NI LabVIEW Run-Time Engine 6.1
NI LabVIEW Run-Time Engine 7.0
NI LabVIEW Run-Time Engine 7.1.1
NI LabVIEW Run-Time Engine 8.0.1
NI LabVIEW Run-Time Engine 8.2.1
NI LabVIEW Run-Time Engine 8.5
NI LabVIEW SignalExpress 2.5
NI LabVIEW SignalExpress 2.5 Core
NI LabVIEW SignalExpress 2.5 Core LabVIEW Support
NI LabVIEW SignalExpress 2.5 Datatypes
NI LabVIEW SignalExpress 2.5 LabVIEW Support
NI LabVIEW SignalExpress 2.5 Licenses
NI LabVIEW SignalExpress 2.5 Steps
NI LabVIEW SignalExpress 2.5 Tools
NI LabWindows/CVI 8.1 FDS Package
NI LabWindows/CVI 8.1 Full Development System Files
NI LabWindows/CVI 8.1 Help Files
NI LabWindows/CVI 8.1 Program Files
NI LabWindows/CVI 8.1.1 Run-Time Engine
NI LabWindows/CVI Advanced Analysis Libraries 8.1
NI LabWindows/CVI Code Generator
NI LabWindows/CVI FDS Sample Files 8.1
NI LabWindows/CVI Sample Files 8.1
NI LabWindows/CVI VS2005 AddIn
NI Legacy DAQmxRF
NI License Manager
NI Logos 4.9
NI Logos LabVIEW 8.0 Support
NI Logos LabVIEW 8.2 Support
NI Logos LabVIEW 8.5 Support
NI Logos Support for LabVIEW Real-Time
NI Logos XT Support
NI Logos XT Support for LabVIEW Real-Time
NI LVBrokerAux 8.2.1
NI LVBrokerAux 8.5.0
NI LVBrokerAux1071
NI LVBrokerAux71
NI LVBrokerAux8.0
NI Math Kernel Libraries
NI MAX CVI Support
NI MAX LabVIEW Support
NI MDF Support
NI Measurement & Automation Explorer 4.3
NI Measurement Studio 8.1 Enterprise RunTime for VS2005
NI Measurement Studio Common .NET Language Assemblies for the .NET Framework 1.1
NI Measurement Studio Common .NET Language Assemblies for the .NET Framework 2.0
NI Measurement Studio DAQmx for Visual Studio 2005
NI Measurement Studio GPIB Support for VS2005
NI Measurement Studio Max Configuration Support for VS2005
NI Measurement Studio Recipe Processor
NI Measurement Studio VISA Support for VS2005
NI Measurements eXtensions for PAL 1.7.0
NI MIO Device Drivers 1.13.0
NI Modbus IO Server for LabVIEW Real-Time
NI Modbus IO Server for Windows
NI ModInst 1.4.2
NI Multi-Variable Dialog
NI MXS
NI Network Variable Engine for LabVIEW Real-Time
NI OPC Support
NI PID Control Toolkit for LabVIEW 8.5 Real-Time
NI Portable Configuration
NI PXI-5660 Support
NI PXI Platform Services for LabVIEW Real-Time 2.3.0
NI PXI Platform Services for LabVIEW Real-Time 2.3.1
NI PXI Platform Services for Windows 2.3.1
NI PXI Platform Services Provider for MAX 2.3.1
NI Real-Time Execution Trace Toolkit
NI Real-Time Execution Trace Toolkit License
NI Registration Wizard
NI Remote Provider for MAX
NI Remote PXI Provider for MAX
NI RT Libiconv
NI RT MSVS 7.1
NI Script Editor 1.3.1
NI SCXI 1.8.1
NI Service Locator
NI SignalExpress 2.0 LabVIEW Support
NI Software Provider for MAX
NI Sound and Vibration Frequency Analysis 5.0
NI Spy 2.5.1
NI STC 1.2.0
NI TDMS
NI Timing Installer 1.10.0
NI Uninstaller
NI USI 1.5.0
NI Variable Client for LabVIEW Real-Time
NI Variable Engine
NI Variable Engine LabVIEW 8.0 Support
NI Variable Engine LabVIEW 8.2.1 Support
NI Variable Engine LabVIEW 8.5 Support
NI Variable Engine Serial Support
NI Variable Engine Serial Support RT
NI Variable Manager
NI VC2005MSMs x86
NI Web Pipeline
NVIDIA Windows 2000/XP Display Drivers
OpenOffice.org 2.2
Panda ActiveScan 2.0
PaperPort 8.0 SE
PC Inspector smart recovery
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Periodic
Personal Daq LabVIEW VIs
Personal DaqView
PowerDVD
Quick Launch Buttons 4.10 C2
QuickBooks Premier: Professional Services Edition 2007
QuickBooks Pro Edition 2004
QuickBooks Product Listing Service
QuickTime
Read30
RealPlayer
RecordNow
Remote Display Control
Retrospect 7.0
Rhapsody Player Engine
RTLSetup for Realtek RTL8139/810x Family NIC 3.50 (OEM A)
ScriptSWF 1.8.1 Tools
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SensiView_v2_2
Simple Backup
Spybot - Search & Destroy 1.3
SQLyog 5.13
SupportSoft Assisted Service
Synaptics Pointing Device Driver
TaxCut North Carolina 2007
TaxCut Premium + State 2007
TomTom HOME
Traditional NI-DAQ 7.4.4 (Legacy)
Traditional NI-DAQ Documentation
Tweak UI
Ulead Photo Express 3.0
UltraEdit-32
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb958619)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
USB2.0 Camera Driver
VC_MergeModuleToMSI
Vista Buttons Trial
Visual Studio .NET Professional 2003 - English
Visual Studio.NET Baseline - English
VMware Workstation
WAtomic 1.2
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Essentials Media Codec Pack 1.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile 5.0 Pocket PC SDK
Windows XP Service Pack 3
WinRAR archiver
Xilisoft Video Converter 3
XP Codec Pack

--------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:17:30 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\WINDOWS\system32\lkads.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\lktsrv.exe
C:\LonWorks\bin\LnsMtsSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\RTProxy.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Any Password\AnyPass.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [niDevMon] C:\Program Files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnLoad] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnConvert] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\svchost.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://russell/connectcomputer/nshelp.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181070593578
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Echelon xDriver Connection Broker (LdvxBroker) - Echelon Corporation - C:\LonWorks\bin\LdvxBroker.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Echelon Support Service for Microsoft Terminal Services (MTS) (LnsMtsSvc) - Echelon Corporation - C:\LonWorks\bin\LnsMtsSvc.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NI-488.2 Enumeration Service (ni488enumsvc) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: niRTProxy - National Instruments - C:\WINDOWS\system32\RTProxy.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\rthlpsvc.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 14419 bytes

#5 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:26 AM

Posted 22 December 2008 - 07:36 AM

hi.

Please do not make any modification in your computer.

Please follow my instructions promptly.
  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Virustotal: http://www.virustotal.com/

    When the Virustotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\Virus112608_disablesfirewall.zip
    C:\WINDOWS\System32\mshta.exe


    Please post back the results of the scan in your next post.

    If Virustotal is busy, try the same at Jotti

  • 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    FILE::
    c:\svchost.exe
    C:\Copy of svchost.exe
    C:\Copy of testfile.bat
    C:\testfile.bat
    C:\bt-craig.bat
    C:\bt.bat

    REGISTRY::
    [HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "Msn"=-
    "MsnHost"=-
    "MsnLoad"=-
    "MsnConvert"=-
    "MsnMessendger"=-

    DIRLOOK::
    C:\WINDOWS\srchasst


    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

  • Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
In your reply, please post

C:\combofix.txt
Bitdefender scan result
Jotti/virustotal result


Mark

#6 cbedward

cbedward
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 December 2008 - 11:57 AM

When I ran ComboFix, it seemed to work, but there is a second DOS window which contains:

The process cannot access the file because it is being used by another process.
FINDSTR: Cannot read strings from ForeignWht
The process cannot access the file because it is being used by another process.

The window remained even after ComboFix completed.

FYI, the file C:\Virus112608_disablesfirewall.zip is one I created of the root files that keep popping up (svchost, testfile.bat, bt.bat) when the infection first popped up.

I am posting the logs from what you requested now. I am about to start running BitDefender. I will post the results when it completes.
----------------------------------------------------------------------------------------------------
File Virus112608_disablesfirewall.zip received on 12.22.2008 17:25:07 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 77 and 111 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.12.22.0 2008.12.22 -
AntiVir 7.9.0.45 2008.12.22 -
Authentium 5.1.0.4 2008.12.22 -
Avast 4.8.1281.0 2008.12.21 -
AVG 8.0.0.199 2008.12.22 -
BitDefender 7.2 2008.12.22 -
CAT-QuickHeal 10.00 2008.12.22 -
ClamAV 0.94.1 2008.12.22 -
Comodo 793 2008.12.21 -
DrWeb 4.44.0.09170 2008.12.22 -
eSafe 7.0.17.0 2008.12.21 -
eTrust-Vet 31.6.6271 2008.12.20 -
Ewido 4.0 2008.12.22 -
F-Prot 4.4.4.56 2008.12.22 -
F-Secure 8.0.14332.0 2008.12.22 -
Fortinet 3.117.0.0 2008.12.22 -
GData 19 2008.12.22 -
Ikarus T3.1.1.45.0 2008.12.22 -
K7AntiVirus 7.10.562 2008.12.22 -
Kaspersky 7.0.0.125 2008.12.22 -
McAfee 5471 2008.12.21 -
McAfee+Artemis 5471 2008.12.21 -
Microsoft 1.4205 2008.12.22 -
NOD32 3711 2008.12.22 -
Norman 5.80.02 2008.12.22 -
Panda 9.0.0.4 2008.12.21 -
PCTools 4.4.2.0 2008.12.22 -
Prevx1 V2 2008.12.22 -
Rising 21.09.02.00 2008.12.22 -
SecureWeb-Gateway 6.7.6 2008.12.22 -
Sophos 4.37.0 2008.12.22 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.22 -
TheHacker 6.3.1.4.195 2008.12.20 -
TrendMicro 8.700.0.1004 2008.12.22 -
VBA32 3.12.8.10 2008.12.22 -
ViRobot 2008.12.22.1530 2008.12.22 -
VirusBuster 4.5.11.0 2008.12.22 -
Additional information
File size: 566 bytes
MD5...: b757d6ebab157840fa14067b3bf2f6cb
SHA1..: e72bbb708fe205456d578984ebdd113777270262
SHA256: 612e0a8fa6d8faaa4611ae8e720766912d35f2d0f74a3208f27bacf06c630b65
SHA512: a2c8cf193d3b62b92b3dd110c9a2869c2769cfcfc867572126bbbe21694476a4
860628ebdbb6dbccaf0c6ed167163e4543f26f53382df4b2bdb5766a10c148a4

ssdeep: 12:5joXl5zlo0u5RX7KW0xrMletiKhlf51cR2Lumllj8Vt:9CJlop7P0xrMAtJlf
51cYlen

PEiD..: -
TrID..: File type identification
ZIP compressed archive (100.0%)
PEInfo: -

---------------------------------------------------------------------
File mshta.exe received on 12.22.2008 17:30:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 54 and 77 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.12.22.0 2008.12.22 -
AntiVir 7.9.0.45 2008.12.22 -
Authentium 5.1.0.4 2008.12.22 -
Avast 4.8.1281.0 2008.12.21 -
AVG 8.0.0.199 2008.12.22 -
BitDefender 7.2 2008.12.22 -
CAT-QuickHeal 10.00 2008.12.22 -
ClamAV 0.94.1 2008.12.22 -
Comodo 793 2008.12.21 -
DrWeb 4.44.0.09170 2008.12.22 -
eSafe 7.0.17.0 2008.12.21 -
eTrust-Vet 31.6.6271 2008.12.20 -
Ewido 4.0 2008.12.22 -
F-Prot 4.4.4.56 2008.12.22 -
F-Secure 8.0.14332.0 2008.12.22 -
Fortinet 3.117.0.0 2008.12.22 -
GData 19 2008.12.22 -
Ikarus T3.1.1.45.0 2008.12.22 -
K7AntiVirus 7.10.562 2008.12.22 -
Kaspersky 7.0.0.125 2008.12.22 -
McAfee 5471 2008.12.21 -
McAfee+Artemis 5471 2008.12.21 -
Microsoft 1.4205 2008.12.22 -
NOD32 3711 2008.12.22 -
Norman 5.80.02 2008.12.22 -
Panda 9.0.0.4 2008.12.21 -
PCTools 4.4.2.0 2008.12.22 -
Prevx1 V2 2008.12.22 -
Rising 21.09.02.00 2008.12.22 -
SecureWeb-Gateway 6.7.6 2008.12.22 -
Sophos 4.37.0 2008.12.22 -
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.22 -
TheHacker 6.3.1.4.195 2008.12.20 -
TrendMicro 8.700.0.1004 2008.12.22 -
VBA32 3.12.8.10 2008.12.22 -
ViRobot 2008.12.22.1530 2008.12.22 -
VirusBuster 4.5.11.0 2008.12.22 -
Additional information
File size: 45568 bytes
MD5...: 08a8931db4d9302f9804c4dfa14596d1
SHA1..: eda18f3d7cefab389203277881e8edbf258b2f64
SHA256: 257f7bf341376b24287e3d004be2126ba2c80d0852d02fe5497d49f765821b6e
SHA512: 87121c296a56f6a4889ae0d1070f6398cba3cb8cf4ae80f4f14c5c69a3eed418
b49a140169671f836f961669005895cf8cc552531fa0bc06d8d110eb01bd5f69

ssdeep: 768:OcIifVDMpBKnQrEjxRS2btWnkIsEM5Gg0AX:Or8qpBMQwjrwnkd5D0w

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002853
timedatestamp.....: 0x45353557 (Tue Oct 17 19:56:07 2006)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7f5a 0x8000 6.54 fde6d6fef5ea6cea099e910d7402ad03
.data 0x9000 0x1840 0xe00 2.33 1dad3750b2ef237502c44d375b748434
.rsrc 0xb000 0x11a8 0x1200 3.93 3c1abab74a875df66e145c991031eb30
.reloc 0xd000 0xc46 0xe00 4.04 e97d06e8fe8c0f63ee06bf1de95902a0

( 2 imports )
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> KERNEL32.dll: GetVersion, GetProcAddress, GetModuleHandleW, FreeLibrary, MultiByteToWideChar, lstrlenA, LoadLibraryW, LoadLibraryA, ExpandEnvironmentStringsA, GetCommandLineA, GetVersionExA, GetStartupInfoA, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThreadId, HeapDestroy, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringA, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, Sleep, VirtualAlloc, HeapReAlloc, RtlUnwind, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, TerminateProcess, GetCurrentProcess, VirtualProtect, GetSystemInfo, VirtualQuery

( 0 exports )

-----------------------------------------------------------------------------------------
ComboFix 08-12-21.01 - Craig 2008-12-22 11:38:05.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1045 [GMT -5:00]
Running from: c:\downloads\Antivirus\ComboFix.exe
Command switches used :: c:\downloads\Antivirus\CFScript122208.txt
* Created a new restore point

FILE ::
C:\bt-craig.bat
C:\bt.bat
C:\Copy of svchost.exe
C:\Copy of testfile.bat
c:\svchost.exe
C:\testfile.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bt-craig.bat
C:\bt.bat
C:\Copy of svchost.exe
C:\Copy of testfile.bat
C:\testfile.bat

.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-20 00:05 . 2008-12-20 00:05 <DIR> d--h----- c:\windows\PIF
2008-12-19 17:05 . 2008-12-19 17:04 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-19 16:19 . 2008-12-19 16:21 <DIR> d-------- C:\rsit
2008-12-18 16:26 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2008-12-18 16:25 . 2008-12-18 16:25 <DIR> d-------- c:\program files\Panda Security
2008-12-01 13:28 . 2008-12-01 13:28 <DIR> d-------- c:\documents and settings\Craig\Application Data\pdf995
2008-12-01 13:28 . 2008-12-01 13:28 28 --a------ c:\windows\pdf995.ini
2008-11-26 18:49 . 2008-11-26 18:55 566 --a------ C:\Virus112608_disablesfirewall.zip
2008-11-26 15:49 . 2008-11-26 15:49 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-11-26 15:49 . 2008-11-26 15:49 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-11-26 15:49 . 2008-11-26 15:49 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-11-26 15:48 . 2008-11-26 15:48 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-11-26 12:58 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-26 12:53 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-25 22:31 . 2008-11-25 22:31 <DIR> d-------- c:\documents and settings\Craig\Application Data\Arduino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 23:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 20:45 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-20 04:21 --------- d-----w c:\program files\MSDN
2008-12-20 04:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-20 04:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 04:11 --------- d-----w c:\program files\Java
2008-12-20 03:53 --------- d-----w c:\documents and settings\Craig\Application Data\VMware
2008-12-20 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2008-12-19 20:53 --------- d-----w c:\program files\Paint.NET
2008-12-18 18:13 --------- d-----w c:\documents and settings\NetworkService\Application Data\VMware
2008-12-06 03:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:52 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:52 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-01 18:28 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2008-11-25 02:56 --------- d-----w c:\documents and settings\Craig\Application Data\AdobeUM
2008-11-03 18:36 --------- d-----w c:\program files\Microsoft Windows Small Business Server
2008-11-01 16:16 --------- d-----w c:\program files\LogMeIn
2008-11-01 16:11 --------- d-----w c:\program files\7-Zip
2008-10-24 11:21 455,296 ------w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 19:10 --------- d-----w c:\documents and settings\All Users\Application Data\Squid
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ------w c:\windows\system32\strmdll.dll
2008-10-02 23:46 83,288 ----a-w c:\windows\system32\LMIRfsClientNP.dll
2008-10-02 23:45 87,352 ----a-w c:\windows\system32\LMIinit.dll
2008-10-02 23:45 28,984 ----a-w c:\windows\system32\LMIport.dll
2008-10-02 23:45 23,736 ----a-w c:\windows\system32\lmimirr.dll
2008-10-02 23:45 10,040 ----a-w c:\windows\system32\lmimirr2.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-23 21:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-08-09 02:57 13,012 ----a-w c:\documents and settings\Craig\Bubblets.dat
2008-01-27 06:43 13,012 ----a-w c:\documents and settings\Craig\Bubblets2.dat
2007-09-12 01:04 56,912 ----a-w c:\documents and settings\Craig\g2mdlhlpx.exe
2007-07-17 15:38 88,761 ----a-w c:\windows\inf\pxiclean.exe
2007-08-09 18:08 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
2004-03-15 21:51 114,688 ----a-w c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2003-05-01 13:36 114,688 ----a-w c:\program files\internet explorer\plugins\LV7ActiveXControl.dll
2006-01-23 14:32 131,072 ----a-w c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 133,920 ----a-w c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 23:03 118,784 ----a-w c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2001-11-30 23:26 98,304 ----a-w c:\program files\internet explorer\plugins\LVActiveXControl.dll
2008-09-03 01:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\srchasst ----

2008-04-13 19:12 726078 --a------ c:\windows\srchasst\srchui.dll
2008-04-13 19:12 58434 --a------ c:\windows\srchasst\srchctls.dll
2008-04-13 19:11 3166208 --a------ c:\windows\srchasst\msgr3en.dll
2004-07-17 10:42 5544 --------- c:\windows\srchasst\mui\041e\lcladvd.xml
2004-07-17 10:42 2822 --------- c:\windows\srchasst\mui\041e\inetpref.xml
2004-07-17 10:42 2822 --------- c:\windows\srchasst\mui\0409\inetpref.xml
2004-07-17 10:42 2518 --a------ c:\windows\srchasst\mui\0409\lcldocs.xml
2004-07-17 10:42 2518 --------- c:\windows\srchasst\mui\041e\lcldocs.xml
2004-07-17 10:42 2343 --a------ c:\windows\srchasst\mui\0409\lclmm.xml
2004-07-17 10:42 2343 --------- c:\windows\srchasst\mui\041e\lclmm.xml
2003-03-31 14:00 816535 --------- c:\windows\srchasst\chars\courtney.acs
2003-03-31 14:00 799 --------- c:\windows\srchasst\mui\0409\inetfind.xml
2003-03-31 14:00 794 --------- c:\windows\srchasst\mui\0409\lclcomp.xml
2003-03-31 14:00 7354 --------- c:\windows\srchasst\mui\0409\lcladvmm.xml
2003-03-31 14:00 732 --------- c:\windows\srchasst\mui\0409\lclother.xml
2003-03-31 14:00 6574 --------- c:\windows\srchasst\mui\0409\lcladvdf.xml
2003-03-31 14:00 656 --------- c:\windows\srchasst\mui\0409\lcltechy.xml
2003-03-31 14:00 6551 --------- c:\windows\srchasst\mui\0409\lclrfine.xml
2003-03-31 14:00 6228 --------- c:\windows\srchasst\mui\0409\lcladv.xml
2003-03-31 14:00 612 --------- c:\windows\srchasst\mui\0409\intents.xml
2003-03-31 14:00 563 --------- c:\windows\srchasst\mui\0409\intro.xml
2003-03-31 14:00 5544 --------- c:\windows\srchasst\mui\0409\lcladvd.xml
2003-03-31 14:00 545 --------- c:\windows\srchasst\mui\0409\lclmode.xml
2003-03-31 14:00 530 --------- c:\windows\srchasst\mui\0409\charctxt.xml
2003-03-31 14:00 462 --------- c:\windows\srchasst\mui\0409\lclkwrds.xml
2003-03-31 14:00 4399505 --a------ c:\windows\srchasst\nls302en.lex
2003-03-31 14:00 381 --------- c:\windows\srchasst\mui\0409\lcllook.xml
2003-03-31 14:00 34671 --------- c:\windows\srchasst\mui\0409\balloon.xsl
2003-03-31 14:00 34643 --------- c:\windows\srchasst\mui\0409\bar.xsl
2003-03-31 14:00 242 --------- c:\windows\srchasst\mui\0409\charchsr.xml
2003-03-31 14:00 2140 --------- c:\windows\srchasst\mui\0409\lclprog.xml
2003-03-31 14:00 2114 --------- c:\windows\srchasst\mui\0409\lcldate.xml
2003-03-31 14:00 1861820 --------- c:\windows\srchasst\chars\rover.acs
2003-03-31 14:00 1622 --------- c:\windows\srchasst\mui\0409\lclsize.xml
2003-03-31 14:00 1542 --------- c:\windows\srchasst\mui\0409\inetopts.xml
2003-03-31 14:00 1472718 --------- c:\windows\srchasst\chars\earl.acs
2003-03-31 14:00 1397 --------- c:\windows\srchasst\mui\0409\indxsvc.xml
2003-03-31 14:00 1324 --------- c:\windows\srchasst\mui\0409\lclsrch.xml
2003-03-31 14:00 1192 --------- c:\windows\srchasst\mui\0409\inetsrch.xml
2003-03-31 14:00 1070 --------- c:\windows\srchasst\mui\0409\finish.xml
2003-03-31 14:00 105 --------- c:\windows\srchasst\mui\0409\error.xml


((((((((((((((((((((((((((((( snapshot@2008-12-18_13.00.33.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:11:59 3,166,208 -c--a-w c:\windows\system32\dllcache\msgr3en.dll
+ 2008-04-14 00:12:06 58,434 -c--a-w c:\windows\system32\dllcache\srchctls.dll
+ 2008-04-14 00:12:07 726,078 -c--a-w c:\windows\system32\dllcache\srchui.dll
- 2007-09-25 05:30:28 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-19 22:04:58 144,792 ----a-w c:\windows\system32\java.exe
- 2007-09-25 05:30:30 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-19 22:04:58 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-09-25 06:31:42 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-19 22:04:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-02-05 13:48:04 77,824 ----a-w c:\windows\system32\OnlineScannerUninstaller.exe
+ 2008-12-20 03:50:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2004-05-12 1038336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2003-06-03 180316]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-07 274432]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 610304]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"niDevMon"="c:\program files\National Instruments\NI-DAQ\HWConfig\nidevmon.exe" [2007-07-14 106064]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 69632]
"DVDBitSet"="c:\program files\HP DVD\Umbrella\DVDBitSet.exe" [2003-07-18 204800]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-05 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-15 72240]
"VMware hqtray"="c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-05-15 55856]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-19 136600]
"nwiz"="nwiz.exe" [2003-06-24 c:\windows\system32\nwiz.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 568176]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2005-04-16 41042]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-03-18 972064]
SmartUI.lnk - c:\program files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 1568768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableDisplayControl"= 0 (0x0)
"DisableDisplayCtrl"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-02 18:45 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.FFDS"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 7.1\\LabVIEW.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 8.5\\LabVIEW.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmplayer.exe"=
"c:\\Program Files\\National Instruments\\LabVIEW 8.0\\LabVIEW.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Intuit\\QuickBooks\\QBUpdate\\qbupdate.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\bin\\vmware-vmx.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\WINDOWS\\system32\\WISPTIS.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBW32.EXE"=
"c:\\WINDOWS\\system32\\nisvcloc.exe"=
"c:\\Program Files\\National Instruments\\Real-Time Execution Trace Toolkit 2.0\\rtett.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\National Instruments\\DataSocket\\cwdss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"8080:TCP"= 8080:TCP:ActiTIME
"1723:TCP"= 1723:TCP:S5 VPN
"50042:TCP"= 50042:TCP:SCPIComm50042
"6342:TCP"= 6342:TCP:LabVIEW example
"6352:TCP"= 6352:TCP:6352
"3000:TCP"= 3000:TCP:3000
"50043:TCP"= 50043:TCP:SCPIComm50043

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [2007-07-10 15448]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-18 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-05-11 97928]
R2 ApogeeIO;Apogee Port I/O;c:\windows\system32\Drivers\apogeeio.sys [2005-06-01 5314]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-11 231704]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 30312]
R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-09-18 47640]
R2 LnsMtsSvc;Echelon Support Service for Microsoft Terminal Services (MTS);c:\lonworks\bin\LnsMtsSvc.exe [2005-04-06 57400]
R2 MaxImIO;MaxIm Port I/O;c:\windows\system32\Drivers\maximio.sys [2005-06-01 7610]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2007-02-16 12696]
R2 niarbk;niarbk;c:\windows\system32\drivers\niarbk.dll [2007-04-16 37376]
R2 nibffrk;nibffrk;c:\windows\system32\drivers\nibffrk.dll [2007-04-16 21504]
R2 Nidaq32k;Nidaq32k;c:\windows\system32\drivers\Nidaq32k.sys [2007-04-16 674304]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2007-02-16 12696]
R2 nidmmk;NI DMM and Data Logger Kernel Driver;c:\windows\system32\drivers\nidmmk.dll [2007-04-16 50688]
R2 niembrtk;niembrtk;c:\windows\system32\drivers\niembrtk.sys [2004-07-08 30720]
R2 nimdsk;nimdsk;c:\windows\system32\drivers\nimdsk.dll [2007-04-16 30208]
R2 nipxirmk;nipxirmk;\??\c:\windows\system32\drivers\nipxirmkl.sys [2007-02-22 11552]
R2 niRTProxy;niRTProxy;c:\windows\system32\RTProxy.exe c:\windows\system32\RTProxy.exe -s []
R2 nistck;nistck;c:\windows\system32\drivers\nistck.dll [2007-04-16 111616]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [2007-07-19 11360]
R2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\DRIVERS\VPCAppSv.sys [2002-05-20 10374]
R3 EMCR;EMCR;c:\windows\system32\DRIVERS\EMCR7SK.sys [2007-06-05 68480]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2008-02-26 29183504]
R3 nidimk;nidimk;\??\c:\windows\system32\drivers\nidimkl.sys [2007-07-12 11360]
R3 niesrk;niesrk;\??\c:\windows\system32\drivers\niesrkl.sys [2007-07-24 11336]
R3 nimru2k;nimru2k;\??\c:\windows\system32\drivers\nimru2kl.sys [2007-07-24 11360]
R3 nimstsk;nimstsk;\??\c:\windows\system32\drivers\nimstskl.sys [2007-07-13 11360]
R3 nixsrk;nixsrk;\??\c:\windows\system32\drivers\nixsrkl.sys [2007-07-24 11336]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\Drivers\FTD2XX.sys [2005-02-28 29404]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\DRIVERS\hpusbwdm.sys [2004-01-05 1080832]
S3 LdvxBroker;Echelon xDriver Connection Broker;c:\lonworks\bin\LdvxBroker.exe [2005-04-06 57402]
S3 lvalarmk;lvalarmk;\??\c:\windows\system32\drivers\lvalarmk.sys [2007-01-11 20256]
S3 ni1006k;NI PXI-1006 Chassis Pilot;\??\c:\windows\system32\drivers\ni1006k.sys [2007-02-22 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;\??\c:\windows\system32\drivers\ni1045kl.sys [2007-02-22 11552]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;\??\c:\windows\system32\drivers\ni1065k.sys [2007-05-25 22360]
S3 ni488lock;NI-488.2 Locking Service;\??\c:\windows\system32\drivers\ni488lock.sys [2007-02-26 16672]
S3 nicdrk;nicdrk;\??\c:\windows\system32\drivers\nicdrkl.sys [2007-07-15 11352]
S3 nidmxfk;nidmxfk;\??\c:\windows\system32\drivers\nidmxfkl.sys [2007-07-13 11336]
S3 nidsark;nidsark;\??\c:\windows\system32\drivers\nidsarkl.sys [2007-07-19 11344]
S3 nidwgk;nidwgk;\??\c:\windows\system32\drivers\nidwgkl.sys [2007-02-23 11552]
S3 niemrk;niemrk;\??\c:\windows\system32\drivers\niemrkl.sys [2007-07-24 11336]
S3 niemrkw;niemrkw;c:\windows\system32\DRIVERS\niemrkw.sys [2007-09-18 11336]
S3 nifslk;nifslk;\??\c:\windows\system32\drivers\nifslkl.sys [2007-07-15 11352]
S3 nigplk;nigplk;\??\c:\windows\system32\drivers\nigplkl.sys [2007-02-23 11552]
S3 nihsdrk;nihsdrk;\??\c:\windows\system32\drivers\nihsdrkl.sys [2007-07-24 11352]
S3 nimsdrk;nimsdrk;\??\c:\windows\system32\drivers\nimsdrkl.sys [2007-07-18 11392]
S3 nimslk;nimslk;\??\c:\windows\system32\drivers\nimslk.dll [2007-06-20 14464]
S3 nimsrlk;nimsrlk;\??\c:\windows\system32\drivers\nimsrlk.dll [2007-06-20 151683]
S3 nimxpk;nimxpk;\??\c:\windows\system32\drivers\nimxpkl.sys [2007-07-13 11368]
S3 ninshsdk;ninshsdk;\??\c:\windows\system32\drivers\ninshsdkl.sys [2007-07-19 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [2007-07-18 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [2007-07-18 11896]
S3 nipsdk;nipsdk;\??\c:\windows\system32\drivers\nipsdkl.sys [2007-07-24 11552]
S3 nipxigpk;NI PXI Generic Chassis Pilot;\??\c:\windows\system32\drivers\nipxigpk.sys [2007-02-22 20768]
S3 nirfsa2k;nirfsa2k;\??\c:\windows\system32\drivers\nirfsa2kl.sys [2007-06-30 11552]
S3 niscdk;niscdk;\??\c:\windows\system32\drivers\niscdkl.sys [2007-07-19 11376]
S3 nisdigk;nisdigk;\??\c:\windows\system32\drivers\nisdigkl.sys [2007-07-16 11352]
S3 nisftk;nisftk;\??\c:\windows\system32\drivers\nisftkl.sys [2007-07-16 11344]
S3 nisldk;nisldk;\??\c:\windows\system32\drivers\nisldkl.sys [2007-06-15 11624]
S3 nispdk;nispdk;\??\c:\windows\system32\drivers\nispdkl.sys [2007-07-19 11376]
S3 nisrcdk;nisrcdk;\??\c:\windows\system32\drivers\nisrcdkl.sys [2007-06-01 11552]
S3 nissrk;nissrk;\??\c:\windows\system32\drivers\nissrkl.sys [2007-07-24 11336]
S3 nistc2k;nistc2k;\??\c:\windows\system32\drivers\nistc2kl.sys [2007-07-15 11312]
S3 nistcrk;nistcrk;\??\c:\windows\system32\drivers\nistcrkl.sys [2007-07-15 11360]
S3 niswdk;niswdk;\??\c:\windows\system32\drivers\niswdkl.sys [2007-07-17 11336]
S3 nitiork;nitiork;\??\c:\windows\system32\drivers\nitiorkl.sys [2007-07-18 11360]
S3 nitnr2k;nitnr2k;\??\c:\windows\system32\drivers\nitnr2kl.sys [2007-02-23 11552]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [2007-07-19 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [2007-07-19 11360]
S3 niwdk;niwdk;c:\windows\system32\drivers\niwdk.sys [2007-07-14 19456]
S3 niwfrk;niwfrk;\??\c:\windows\system32\drivers\niwfrkl.sys [2007-07-24 11336]
S3 nixsrkw;nixsrkw;c:\windows\system32\DRIVERS\nixsrkw.sys [2007-07-24 11336]
S3 OM2800;USB2.0 PC Camera;c:\windows\system32\Drivers\ovtcam2.sys [2007-07-14 250343]
S3 pdaq;Personal Daq 55/56;c:\windows\system32\Drivers\pdaq.sys [2008-02-15 15360]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys []
S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\DRIVERS\usb6xxxkw.sys [2007-09-18 11312]
S4 LMIRfsClientNP;LMIRfsClientNP; []
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2005-09-23 2799808]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21e27af9-1fd5-11dd-b22b-00904b47f55a}]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\phone\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38f4fe88-9409-11dc-b171-00904b47f55a}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{66bf31f6-bc3f-11dd-b262-005056c00008}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca959636-98a3-11dd-b25a-005056c00008}]
\Shell\AutoRun\command - f:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
mSearchURL = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} -
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} -
FF - ProfilePath - c:\documents and settings\Craig\Application Data\Mozilla\Firefox\Profiles\gna66vox.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-amo&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/?.home=ytff
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 11:43:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????h?M??????? ??TB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 4.1\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 4.1\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2008-12-22 11:48:52
ComboFix-quarantined-files.txt 2008-12-22 16:48:07
ComboFix2.txt 2008-12-21 21:23:58
ComboFix3.txt 2008-12-18 18:01:30

Pre-Run: 5,749,035,008 bytes free
Post-Run: 5,731,360,768 bytes free

391 --- E O F --- 2008-12-18 16:39:38
-------------------------------------------------------------------------------------

#7 cbedward

cbedward
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 22 December 2008 - 07:43 PM

BitDefender log attached...

Attached Files



#8 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:26 AM

Posted 23 December 2008 - 12:30 AM

hi.


How's your computer now?


Mark

#9 cbedward

cbedward
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 23 December 2008 - 12:53 AM

It appears to be fine. I haven't seen a reoccurance of the virus all day. (Of course I thought that a couple of days ago...about 2 minutes later it came back!)

I just did a registry search for c:\SVCHOST.exe. Doing that search used to be a near guarantee of bringing back the virus. But nothing seems to have happened. :thumbsup:

Is there something in the logs that points to what it was?

Is there something more I can be doing to protect myself? I run AVG Free, SpyBot, and run the free version of MalwareBytes periodically.

Thanks (hopefully not prematurely) so much for your help!

#10 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:26 AM

Posted 23 December 2008 - 06:35 PM

hi.

I have few questions before I'll give you my final instructions.

When I ran ComboFix, it seemed to work, but there is a second DOS window which contains:

The process cannot access the file because it is being used by another process.
FINDSTR: Cannot read strings from ForeignWht
The process cannot access the file because it is being used by another process.

The window remained even after ComboFix completed.


Did you manually close the second DOS window?
In our first run with combofix.exe, did this happened also?

Mark

#11 cbedward

cbedward
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 23 December 2008 - 07:28 PM

ComboFix did not give that error the first time we ran it.

I eventually closed the window manually after ComboFix was done running and it was obvious it wasn't going to close it.

...Still no reoccurance of the problem. :thumbsup:

#12 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:26 AM

Posted 23 December 2008 - 07:32 PM

Hello cbedward.


ComboFix did not give that error the first time we ran it.

I eventually closed the window manually after ComboFix was done running and it was obvious it wasn't going to close it.

Thanks for the info.

Please reply after you finish all the steps below so that we can close this thread. If you having some issue, let me know.

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Uninstall ComboFix
    Remove Combofix now that we're done with it.
    • Click on your Start Menu, then Run....
    • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
      Posted Image
    • When shown the disclaimer, Select "2"
    Uninstalling ComboFix will do the following:
    • Delete ComboFix and its components from your computer.
    • Delete other tools commonly used during the malware removal process.
    • Resets clock settings to standard format.
    • Hides file extensions and hidden/system files.
    • Clears System Restore cache and creates new restore point.
  • Please also delete the RSIT.exe located at your desktop. And delete C:\RSIT folder also.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall

  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.

  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file

  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.

  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Maraming salamat.
Mark

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:26 PM

Posted 24 December 2008 - 07:12 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users