Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RED CIRCLE WHITE X IN TOOLBAR


  • This topic is locked This topic is locked
15 replies to this topic

#1 sledneck8

sledneck8

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 21 January 2009 - 01:14 PM

HERE IS MY LOG FROM HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:52 PM, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\runsql.exe
C:\WINDOWS\sv.exe
C:\WINDOWS\svzip.exe
C:\WINDOWS\svhoster.exe
C:\WINDOWS\vlc.exe
C:\WINDOWS\wdmon.exe
C:\WINDOWS\svx.exe
C:\WINDOWS\svw.exe
C:\WINDOWS\svc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\HP\Dfawep\bin\hpbwepdelay.exe
C:\WINDOWS\odb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\sorry.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {59d31a12-745b-47ff-8454-671658f5f738} - C:\WINDOWS\system32\hahohetu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [e814a638] rundll32.exe "C:\WINDOWS\system32\jotelawe.dll",b
O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe
O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\2052l.exe
O4 - HKLM\..\Run: [runsql] C:\WINDOWS\runsql.exe
O4 - HKLM\..\Run: [netsv32] C:\WINDOWS\sv.exe
O4 - HKLM\..\Run: [netzip] C:\WINDOWS\svzip.exe
O4 - HKLM\..\Run: [net64] C:\WINDOWS\svhoster.exe
O4 - HKLM\..\Run: [vlc] C:\WINDOWS\vlc.exe
O4 - HKLM\..\Run: [wdmon] C:\WINDOWS\wdmon.exe
O4 - HKLM\..\Run: [netx] C:\WINDOWS\svx.exe
O4 - HKLM\..\Run: [netw] C:\WINDOWS\svw.exe
O4 - HKLM\..\Run: [netc] C:\WINDOWS\svc.exe
O4 - HKLM\..\Run: [rirojigavu] Rundll32.exe "C:\WINDOWS\system32\dahihiwi.dll",s
O4 - HKLM\..\Run: [CPMeb2795a4] Rundll32.exe "c:\windows\system32\tunayiri.dll",a
O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\2052l.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\2052l.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\2052l.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://lt-sbs1/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = landtech.local
O17 - HKLM\Software\..\Telephony: DomainName = landtech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = landtech.local
O20 - AppInit_DLLs: C:\WINDOWS\system32\vasidifu.dll C:\WINDOWS\system32\kokemabo.dll c:\windows\system32\wojukoro.dll C:\WINDOWS\system32\risowupa.dll c:\windows\system32\tunayiri.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tunayiri.dll (file missing)
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tunayiri.dll (file missing)
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\ehughes\LOCALS~1\Temp\wndutl32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10029 bytes

BC AdBot (Login to Remove)

 


#2 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 23 January 2009 - 08:21 AM

Hello sledneck8,

Welcome to Bleeping Computer.

My name mas_pogi and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Attention!

Please do not run any other tool untill instructed to do so.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.
Please reply to this thread, do not start another.




You might want to save this page on your bookmark, so you can find it again when you return.

Firefox: Posted Image Then click on Done.

IExplorer: Posted Image Then click on Add.

Stay calm and everything will be just alright.



I will be analyzing your log. I will get back to you with instructions after it is approved.

With Regards,
mas_pogi

Edited by mas_pogi, 23 January 2009 - 08:24 AM.


#3 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 23 January 2009 - 09:15 AM

Thank you, I am on-line and ready to go when you are,

sledneck8

#4 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 23 January 2009 - 11:34 AM

Hello again,

I am leaving and will not be back until Monday a.m., I look forward to dealing with this then, good luck in your findings,

sledneck8

#5 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 24 January 2009 - 11:43 PM

hi.

Sorry for the slight delay. Please post back after you had returned.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you want to proceed, please follow the instructions below;

  • Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
    • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
    • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
    • Please copy and paste the contents of Report.txt in your next reply.
    • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
    -- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

  • Please download Malwarebytes Anti-Malware and save it to your desktop.
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
In your reply, please post

SDfix's report.txt
MBAM's result
Kaspersky scan result
RSIT's log.txt and info.txt


Mark

#6 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 26 January 2009 - 01:25 PM

Hello,

I have run the 4 programs you requested, the computer is working much smoother, no red circle with x, no warnings, etc,

SDFix log:

SDFix: Version 1.240
Run by EHughes on Mon 01/26/2009 at 10:14 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\2052l.exe - Deleted
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds - Deleted
C:\WINDOWS\system32\a.exe - Deleted
C:\WINDOWS\runsql.exe - Deleted
C:\WINDOWS\sv.exe - Deleted
C:\WINDOWS\svc.exe - Deleted
C:\WINDOWS\svhoster.exe - Deleted
C:\WINDOWS\svw.exe - Deleted
C:\WINDOWS\svx.exe - Deleted
C:\WINDOWS\svzip.exe - Deleted
C:\WINDOWS\vlc.exe - Deleted
C:\WINDOWS\wdmon.exe - Deleted
C:\WINDOWS\system32\twain_32\local.ds - Deleted
C:\WINDOWS\system32\twain_32\user.ds - Deleted
C:\WINDOWS\system32\twain_32\user.ds.cla - Deleted
C:\WINDOWS\system32\twext.exe - Deleted



Folder C:\Documents and Settings\LocalService\Application Data\twain_32 - Removed
Folder C:\WINDOWS\system32\twain_32 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 10:24:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\\Program Files\\IBackup for Windows\\ibackup_ssl_sch_947.exe"="C:\\Program Files\\IBackup for Windows\\ibackup_ssl_sch_947.exe:*:Enabled:ibackup_ssl_sch_947"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\DOCUME~1\\ehughes\\LOCALS~1\\Temp\\60325cahp25cas.exe"="C:\\DOCUME~1\\ehughes\\LOCALS~1\\Temp\\60325cahp25cas.exe:*:Enabled:Enabled"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Vembu\\StoreGrid\\bin\\StoreGrid.exe"="C:\\Program Files\\Vembu\\StoreGrid\\bin\\StoreGrid.exe:*:Disabled:StoreGrid"
"C:\\Program Files\\IBackup for Windows\\ibackup_ssl_sch_947.exe"="C:\\Program Files\\IBackup for Windows\\ibackup_ssl_sch_947.exe:*:Enabled:ibackup_ssl_sch_947"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"D:\\Temp\\InstEng\\Setup.exe"="D:\\Temp\\InstEng\\Setup.exe:*:Enabled:Hewlett-Packard Installer"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\WINDOWS\\system32\\bcmwltry.exe"="C:\\WINDOWS\\system32\\bcmwltry.exe:*:Enabled:bcmwltry"
"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"="C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe:*:Enabled:wmiprvse"
"C:\\Program Files\\Tracker Software\\PDF-XChange 3\\pdfSaver\\pdfSaver3.exe"="C:\\Program Files\\Tracker Software\\PDF-XChange 3\\pdfSaver\\pdfSaver3.exe:*:Enabled:pdfSaver3"
"C:\\WINDOWS\\system32\\cmd.exe"="C:\\WINDOWS\\system32\\cmd.exe:*:Enabled:cmd"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 23 Jan 2009 48,640 ..SHR --- "C:\WINDOWS\system32\3076v.exe"
Wed 21 Jan 2009 50,176 ..SHR --- "C:\WINDOWS\system32\AcSignExtResl.exe"
Wed 21 Jan 2009 48,640 ..SHR --- "C:\WINDOWS\system32\adptifh.exe"
Mon 22 Dec 2008 65,659 A.SH. --- "C:\WINDOWS\system32\fatalofi.dll"
Fri 29 Sep 2006 88 ..SHR --- "C:\WINDOWS\system32\FDF05039E5.sys"
Fri 29 Sep 2006 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 18 Dec 2008 89,742 A.SH. --- "C:\WINDOWS\system32\kirojowe.dll"
Thu 18 Dec 2008 95,375 A.SH. --- "C:\WINDOWS\system32\vipanezo.dll"
Thu 8 Jan 2009 41,472 ..SHR --- "C:\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe"
Wed 4 Aug 2004 14,336 ..SHR --- "C:\Documents and Settings\Rmartin\Local Settings\Application Data\adsldpb.exe"
Wed 3 Aug 2005 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\LANDTECH\2005 corres\~WRL2122.tmp"
Wed 15 Feb 2006 19,456 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\LANDTECH\LER\~WRL3197.tmp"
Wed 21 Sep 2005 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\04251\~WRL1677.tmp"
Wed 21 Sep 2005 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\04251\~WRL3188.tmp"
Tue 6 Feb 2007 31,232 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\06207\~WRL0810.tmp"
Thu 1 Feb 2007 19,968 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\06207\~WRL2356.tmp"
Fri 23 Feb 2007 25,088 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\06237\~WRL2622.tmp"
Fri 20 Dec 2002 23,552 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\1998\98253\~WRL1005.tmp"
Thu 22 Jul 1999 25,600 A..HR --- "C:\Documents and Settings\Land Tech\My Documents\Archives\1998\98290\~WRL0718.tmp"
Thu 28 Jan 1999 22,016 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\1999\99104\~WRL0001.tmp"
Thu 19 May 2005 19,968 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\1999\99188\~WRL0441.tmp"
Thu 19 May 2005 19,456 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\1999\99188\~WRL3305.tmp"
Wed 7 Dec 2005 19,968 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2002\02139\~WRL0477.tmp"
Tue 25 Oct 2005 20,992 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2003\03120\~WRL3909.tmp"
Mon 12 Sep 2005 25,600 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04129\~WRL2449.tmp"
Thu 30 Sep 2004 70,656 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04208\~WRL0004.tmp"
Fri 1 Oct 2004 22,528 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04208\~WRL0254.tmp"
Fri 1 Oct 2004 22,528 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04208\~WRL0960.tmp"
Fri 1 Oct 2004 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04208\~WRL2163.tmp"
Tue 25 Oct 2005 24,064 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04243\~WRL1306.tmp"
Tue 25 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04243\~WRL2005.tmp"
Wed 21 Sep 2005 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04251\~WRL1677.tmp"
Wed 21 Sep 2005 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2004\04251\~WRL3188.tmp"
Tue 26 Jul 2005 20,480 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05104\~WRL2103.tmp"
Wed 24 Aug 2005 21,504 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05104\~WRL2802.tmp"
Wed 19 Oct 2005 24,576 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05144\~WRL2259.tmp"
Wed 14 Sep 2005 22,528 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05146\~WRL1463.tmp"
Tue 11 Oct 2005 22,016 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05148\~WRL0994.tmp"
Tue 28 Mar 2006 31,232 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05258\~WRL3004.tmp"
Thu 18 May 2006 28,672 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2005\05280\~WRL2094.tmp"
Thu 7 Dec 2006 56,320 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2006\06148\~WRL0004.tmp"
Thu 7 Dec 2006 55,808 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2006\06148\~WRL3516.tmp"
Thu 4 Jan 2007 29,696 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2006\06243\~WRL0474.tmp"
Mon 15 Nov 2004 19,456 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\LANDTECH\Proj_Mgt\project mgmt forms\~WRL2421.tmp"
Mon 15 Nov 2004 23,552 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\LANDTECH\Proj_Mgt\project mgmt forms\~WRL3269.tmp"
Thu 12 Oct 2006 34,816 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\06185\Archive as of 12-20-06\~WRL0005.tmp"
Mon 14 Nov 2005 34,816 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\1992\92147\92147-25\~WRL3200.tmp"
Thu 2 Jan 2003 19,968 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\LANDTECH\LER\ler\front desk procedures\~WRL1944.tmp"
Tue 19 Oct 2004 69,632 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\PROJECTS\03176\ssd_dwg\LOT 10-1\~WRL0001.tmp"
Tue 19 Oct 2004 69,632 A..H. --- "C:\Documents and Settings\Land Tech\My Documents\Archives\2003\03176\ssd_dwg\LOT 10-1\~WRL0001.tmp"

Finished!

--------------------------------------------------------------------------------------

MBAM result:

Malwarebytes' Anti-Malware 1.33
Database version: 1695
Windows 5.1.2600 Service Pack 2

1/26/2009 10:42:15 AM
mbam-log-2009-01-26 (10-42-15).txt

Scan type: Quick Scan
Objects scanned: 78143
Time elapsed: 10 minute(s), 37 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\odb.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59d31a12-745b-47ff-8454-671658f5f738} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{59d31a12-745b-47ff-8454-671658f5f738} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e814a638 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rirojigavu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmeb2795a4 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\odb (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kirojowe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewojorik.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adptifh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vipanezo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fatalofi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\odb.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\ehughes\Application Data\casino.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Documents and Settings\ehughes\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\ehughes\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 26, 2009 13:00:13
Records in database: 1698223


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
L:\

Scan statistics
Files scanned 123239
Threat name 12
Infected objects 13
Suspicious objects 1
Duration of the scan 02:14:06

File name Threat name Threats count
C:\Documents and Settings\ehughes\My Documents\hughes backup 082607.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe Infected: Worm.Win32.Pinit.gen 1

C:\Documents and Settings\Rmartin\Local Settings\Temporary Internet Files\Content.IE5\9V8BV6VB\interno-porn[1].htm Infected: Trojan-Downloader.JS.Iframe.adv 1

C:\SDFix\backups\backups.zip Infected: Worm.Win32.Pinit.gen 2

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Hupigon.fmtm 1

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Hupigon.fmvv 1

C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Osewlone.as 1

C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Agent.bcnh 1

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Agent.abcf 1

C:\SDFix\backups\catchme.zip Infected: Trojan-Spy.Win32.Zbot.lgm 1

C:\WINDOWS\tmp6373394.log Infected: Virus.Win32.AutoRun.aku 1

C:\WINDOWS\tmp7605500.log Infected: Trojan-Clicker.Win32.Osewlone.ap 1

C:\WINDOWS\tmp8937726.log Infected: Trojan.Win32.Monderc.o 1

The scan was stopped by the user.
(I stopped because it moved on to another networked computer)

---------------------------------------------------------------------------------------------------------------------------


RSIT log:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Ehughes at 2009-01-26 13:16:13
Microsoft Windows XP Professional Service Pack 2
System drive C: has 47 GB (65%) free of 73 GB
Total RAM: 1022 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:31 PM, on 1/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Dfawep\bin\hpbwepdelay.exe
C:\Documents and Settings\ehughes\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ehughes.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://lt-sbs1/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = landtech.local
O17 - HKLM\Software\..\Telephony: DomainName = landtech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = landtech.local
O20 - AppInit_DLLs: C:\WINDOWS\system32\vasidifu.dll C:\WINDOWS\system32\kokemabo.dll c:\windows\system32\wojukoro.dll C:\WINDOWS\system32\risowupa.dll c:\windows\system32\tunayiri.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7841 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll [2007-07-12 501136]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [2007-07-12 132496]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-04-24 98304]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2004-04-14 57393]
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2004-04-14 40960]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-08-12 1121792]
"Drag'n'Drop_Autolaunch"=C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe [2003-01-30 86016]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-20 590848]
"hpbdfawep"=C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe [2006-07-12 626688]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"pdfSaver3"= []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\system32\vasidifu.dll C:\WINDOWS\system32\kokemabo.dll c:\windows\system32\wojukoro.dll C:\WINDOWS\system32\risowupa.dll c:\windows\system32\tunayiri.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgwlntf]
C:\WINDOWS\system32\avgwlntf.dll [2007-12-10 9216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PRISMAPI.DLL]
C:\WINDOWS\system32\PRISMAPI.DLL [2005-12-22 450646]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IPC Configuration Utility - IPC Configuration Utility

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\vasidifu.dll
C:\WINDOWS\system32\kokemabo.dll
C:\WINDOWS\system32\risowupa.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe"="C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe:*:Enabled:ibackup_ssl_sch_947"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\DOCUME~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe"="C:\DOCUME~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe:*:Enabled:Enabled"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Vembu\StoreGrid\bin\StoreGrid.exe"="C:\Program Files\Vembu\StoreGrid\bin\StoreGrid.exe:*:Disabled:StoreGrid"
"C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe"="C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe:*:Enabled:ibackup_ssl_sch_947"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"D:\Temp\InstEng\Setup.exe"="D:\Temp\InstEng\Setup.exe:*:Enabled:Hewlett-Packard Installer"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\bcmwltry.exe"="C:\WINDOWS\system32\bcmwltry.exe:*:Enabled:bcmwltry"
"C:\WINDOWS\system32\wbem\wmiprvse.exe"="C:\WINDOWS\system32\wbem\wmiprvse.exe:*:Enabled:wmiprvse"
"C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"="C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe:*:Enabled:pdfSaver3"
"C:\WINDOWS\system32\cmd.exe"="C:\WINDOWS\system32\cmd.exe:*:Enabled:cmd"

======File associations======

.scr - open - "C:\WINDOWS\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-01-26 13:16:13 ----D---- C:\rsit
2009-01-26 10:34:14 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-01-26 10:29:49 ----D---- C:\Documents and Settings\ehughes\Application Data\Malwarebytes
2009-01-26 10:29:40 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-26 10:29:40 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-26 10:12:43 ----D---- C:\WINDOWS\ERUNT
2009-01-26 07:44:02 ----D---- C:\SDFix
2009-01-21 13:02:19 ----D---- C:\Program Files\Trend Micro
2009-01-21 09:12:38 ----RHD---- C:\$VAULT$.AVG
2009-01-21 08:15:56 ----RSH---- C:\WINDOWS\system32\AcSignExtResl.exe
2009-01-08 09:16:11 ----D---- C:\Documents and Settings\ehughes\Application Data\MSNInstaller
2009-01-08 08:13:14 ----SH---- C:\WINDOWS\system32\ewaletoj.ini
2009-01-07 20:08:21 ----SH---- C:\WINDOWS\system32\oyejalol.ini
2009-01-07 08:08:18 ----SH---- C:\WINDOWS\system32\ogoruweh.ini
2009-01-06 19:07:53 ----SH---- C:\WINDOWS\system32\uyujozet.ini
2009-01-06 07:07:41 ----SH---- C:\WINDOWS\system32\ozajetoj.ini
2009-01-05 19:07:37 ----SH---- C:\WINDOWS\system32\isogefel.ini
2009-01-05 07:07:33 ----SH---- C:\WINDOWS\system32\omapogoj.ini
2008-12-31 09:12:14 ----SH---- C:\WINDOWS\system32\ayonepor.ini
2008-12-30 21:12:07 ----SH---- C:\WINDOWS\system32\umisovid.ini
2008-12-30 11:31:14 ----A---- C:\WINDOWS\cdplayer.ini
2008-12-30 11:29:40 ----D---- C:\Documents and Settings\ehughes\Application Data\Real
2008-12-30 09:11:38 ----SH---- C:\WINDOWS\system32\enivopin.ini
2008-12-29 21:11:35 ----SH---- C:\WINDOWS\system32\aputevip.ini
2008-12-29 08:11:35 ----SH---- C:\WINDOWS\system32\utegekaj.ini

======List of files/folders modified in the last 1 months======

2009-01-26 12:57:49 ----A---- C:\WINDOWS\brwmark.ini
2009-01-26 12:57:49 ----A---- C:\WINDOWS\BRPP2KA.INI
2009-01-26 11:23:30 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-26 11:23:29 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-26 11:23:25 ----HD---- C:\WINDOWS\inf
2009-01-26 10:44:54 ----D---- C:\WINDOWS\Temp
2009-01-26 10:44:54 ----D---- C:\WINDOWS
2009-01-26 10:44:37 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-26 10:44:07 ----D---- C:\WINDOWS\system32
2009-01-26 10:43:57 ----D---- C:\WINDOWS\system32\drivers
2009-01-26 10:34:13 ----D---- C:\WINDOWS\Debug
2009-01-26 10:33:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-26 10:29:40 ----RD---- C:\Program Files
2009-01-26 10:28:29 ----D---- C:\WINDOWS\Help
2009-01-26 10:19:32 ----SHD---- C:\WINDOWS\CSC
2009-01-26 10:12:53 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-26 10:06:38 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-26 10:06:29 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-26 09:55:50 ----D---- C:\WINDOWS\security
2009-01-26 07:19:23 ----D---- C:\WINDOWS\Prefetch
2009-01-26 07:15:31 ----D---- C:\Documents and Settings\ehughes\Application Data\AVG7
2009-01-26 07:13:22 ----D---- C:\Program Files\Outlook Express
2009-01-23 09:42:10 ----SHD---- C:\WINDOWS\Installer
2009-01-23 09:35:16 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-01-23 09:35:15 ----D---- C:\WINDOWS\system
2009-01-21 12:49:51 ----D---- C:\Documents and Settings\All Users\Application Data\pdf995
2009-01-21 09:23:29 ----SD---- C:\Documents and Settings\ehughes\Application Data\Microsoft
2009-01-21 08:52:45 ----D---- C:\WINDOWS\system32\Macromed
2009-01-21 08:52:20 ----D---- C:\Program Files\Microsoft ActiveSync
2009-01-21 08:51:32 ----D---- C:\Program Files\Common Files\Intuit
2009-01-21 08:51:17 ----RSD---- C:\WINDOWS\Fonts
2009-01-21 08:51:15 ----D---- C:\Program Files\Common Files
2009-01-21 08:48:52 ----D---- C:\WINDOWS\system32\QuickTime
2009-01-21 08:48:52 ----D---- C:\Program Files\QuickTime
2009-01-21 08:48:26 ----D---- C:\Program Files\Common Files\Real
2009-01-15 09:07:35 ----D---- C:\Program Files\Carlson Software 2006
2009-01-08 09:19:46 ----D---- C:\Program Files\The_Pirate_Bay
2009-01-08 09:19:46 ----D---- C:\Program Files\Conduit
2009-01-08 09:19:45 ----D---- C:\WINDOWS\SxsCaPendDel
2009-01-08 09:16:13 ----D---- C:\Program Files\MSN
2009-01-08 09:13:49 ----D---- C:\Program Files\Roxio
2009-01-08 09:12:26 ----D---- C:\Program Files\Myers
2009-01-08 09:11:39 ----D---- C:\WINDOWS\ShellNew
2009-01-08 09:10:30 ----D---- C:\WINDOWS\occache
2009-01-08 09:10:08 ----D---- C:\Program Files\Google
2009-01-08 09:10:07 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-08 09:09:59 ----D---- C:\WINDOWS\WinSxS
2009-01-08 09:06:41 ----D---- C:\Program Files\Dell
2009-01-08 09:04:41 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-30 10:46:25 ----D---- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-12-29 07:12:41 ----SH---- C:\WINDOWS\system32\izohanek.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-20 10760]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2007-12-20 26952]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-10-12 20747]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 Machnm32;Machnm32 Driver; \??\C:\WINDOWS\system32\Machnm32.sys []
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2007-08-27 15781]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 BCM43XX;BCM 802.11b Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-03-22 338176]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-10-25 27264]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 15263]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver; C:\WINDOWS\System32\Drivers\BrSerIf.sys [2004-06-12 51712]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver; C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2004-01-10 11648]
S3 catchme;catchme; \??\C:\DOCUME~1\ehughes\LOCALS~1\Temp\catchme.sys []
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2005-11-11 353728]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-08-25 176128]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter; C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-09-04 19034]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-03 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-03 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-03 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-03 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-12-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-12-10 49664]
R2 AvgCoreSvc;AVG7 Resident Shield Service; C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe [2007-12-10 192512]
R2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
R2 IAANTMon;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 PRISMSVC;PRISMSVC; C:\WINDOWS\system32\PRISMSVC.EXE [2005-12-22 61526]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-04-05 1174152]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\WLTRYSVC.EXE [2004-03-22 45056]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE [2005-05-20 81920]
S3 HP Status Server;HP Status Server; C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE [2004-10-16 73728]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------


RSIT info:


info.txt logfile of random's system information tool 1.05 2009-01-26 13:16:36

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belkin Wireless Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45401A03-BDF0-448F-9B0F-3882B96F6692}\setup.exe" -l0x9
Brother Internet Fax 2.02-->C:\Program Files\Brother\BRMFLPRO\UnInst.exe
Brother Internet Fax Driver-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\DeIsL2.isu -cbruninf2.dll
Carlson Software 2006-->MsiExec.exe /I{D2B92EA4-5486-47CD-A799-507751089EB2}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Digital Content Portal-->MsiExec.exe /I{B702CCCE-3176-4DBF-B932-D1B8F402F330}
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB909394)-->"C:\WINDOWS\$NtUninstallKB909394$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
HP Care Pack Core-->MsiExec.exe /I{5715A83C-6FE9-4730-A6E2-D6584584DD01}
HP Care Pack Products-->MsiExec.exe /I{E1A7C08D-1724-4A94-9E14-F83AB1530B16}
HP LaserJet P3005 Install Notes-->MsiExec.exe /I{403BC48C-BCAA-47EA-9841-F26599A81E48}
HP LaserJet P3005 User Guide-->MsiExec.exe /I{CEF89BE7-8948-478A-A452-3F0E9F69233D}
HP LaserJet P3005-->"C:\Program Files\Hewlett-Packard\Install Engines\HP LaserJet P3005\setup.exe" /x
HP LaserJet P3005-->msiexec /x{748B1880-9025-439D-B5D1-E078F2329993}
HydroCAD-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\HydroCAD\Deploy.log"
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet for Wired Connections-->MsiExec.exe /I{4CEA6811-DFAD-4892-828D-49941FE3B779}
Iomega HotBurn Pro-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CCB1507A-AAEA-4778-AC4B-DD5EAB1A961E}\Setup.exe" -l0x9 UNINSTALL
J2SE Runtime Environment 5.0 Update 10-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_03-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maptech Terrain Navigator-->C:\WINDOWS\TSuninst.exe C:\Program Files\Maptech\Terrain Navigator
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Outlook 2003-->MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
PaperPort-->MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Pdf995-->C:\Program Files\pdf995\setup.exe uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Shadow Copy Client-->MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
USB 2.0 Wireless LAN Card Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\setup.exe" -l0x9 -L0x9 -removeonly
VIP Task Manager Professional 2.8.1.428-->"C:\Program Files\VIP Quality Software\VIP Task Manager Professional\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10 Hotfix - KB894476-->"C:\WINDOWS\$NtUninstallKB894476$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: AVG 7.5.552

System event log

Computer Name: DELL06
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 5
Source Name: W32Time
Time Written: 20090112070948.000000-300
Event Type: error
User:

Computer Name: DELL06
Event Code: 14
Message: The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Record Number: 4
Source Name: W32Time
Time Written: 20090112070948.000000-300
Event Type: warning
User:

Computer Name: DELL06
Event Code: 5719
Message: No Domain Controller is available for domain LANDTECH due to the following:
There are currently no logon servers available to service the logon request.
.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Record Number: 3
Source Name: NETLOGON
Time Written: 20090112070916.000000-300
Event Type: error
User:

Computer Name: DELL06
Event Code: 6005
Message: The Event log service was started.

Record Number: 2
Source Name: EventLog
Time Written: 20090112070915.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 6009
Message: Microsoft ® Windows ® 5.01. 2600 Service Pack 2 Multiprocessor Free.

Record Number: 1
Source Name: EventLog
Time Written: 20090112070915.000000-300
Event Type: information
User:

Application event log

Computer Name: DELL06
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 15709
Source Name: SecurityCenter
Time Written: 20090120070347.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 1
Message:
Record Number: 15708
Source Name: QuickBooksDB
Time Written: 20090120070342.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 1
Message:
Record Number: 15707
Source Name: QuickBooksDB
Time Written: 20090120070341.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 105
Message:
Record Number: 15706
Source Name: PRISMSVC
Time Written: 20090120070336.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 1
Message: Service started

Record Number: 15705
Source Name: Avg7UpdSvc
Time Written: 20090120070336.000000-300
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Autodesk Shared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0404
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"ASLOGDIR"=C:\Program Files\Intuit\QuickBooks 2006\
"SBSSERVER"=lt-sbs1

-----------------EOF-----------------

#7 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 26 January 2009 - 10:12 PM

hi.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case bittorrent and The_Pirate_Bay). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

  • One of the file flagged by KAspersky is in your email backup . I cannot pinpoint which one of those. Just be careful on opening link and attachments in
    emails. We will not delete this file but if you will restore it in near future check the email first before opening.

    C:\Documents and Settings\ehughes\My Documents\hughes backup 082607.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Virustotal

    When the virutotal page has finished loading, click the Browse button and navigate to the following file and click Submit.

    C:\Documents and Settings\Rmartin\Local Settings\Application Data\adsldpb.exe
    C:\WINDOWS\system32\AcSignExtResl.exe


    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Jotti: http://virusscan.jotti.org/

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    Posted Image



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Run ESET Online Scan

    Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.
    • Check (tick) this box: YES, I accept the Terms of Use.
    • Click on the Start button next to it.
    • When prompted to run ActiveX. click Yes.
    • You will be asked to install an ActiveX. Click Install.
    • Once installed, the scanner will be initialized.
    • After the scanner is initialized, click Start.
    • Uncheck (untick) Remove found threats box.
    • Check (tick) Scan unwanted applications.
    • Click on Scan.
    • It will start scanning. Please be patient.
    • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
In your reply, please post

C:\combofix.txt
ESET scan result
Virustotal scan result


Mark

#8 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 27 January 2009 - 09:44 AM

Here are the Virustotal scan results and the ESET log, however I could not run combofix because my antivirus in network based and I am having trouble disabling it, and I cant disable it on the network.

Virustotal for AcSignExtResl.exe:

File AcSignExtResl.exe received on 01.27.2009 13:24:56 (CET)
Current status: finished
Result: 9/39 (23.08%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.27 -
AhnLab-V3 5.0.0.2 2009.01.26 -
AntiVir 7.9.0.60 2009.01.27 -
Authentium 5.1.0.4 2009.01.26 -
Avast 4.8.1281.0 2009.01.27 Win32:Falder
AVG 8.0.0.229 2009.01.27 -
BitDefender 7.2 2009.01.27 -
CAT-QuickHeal 10.00 2009.01.27 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.01.27 -
Comodo 948 2009.01.27 -
DrWeb 4.44.0.09170 2009.01.27 -
eSafe 7.0.17.0 2009.01.26 Suspicious File
eTrust-Vet 31.6.6329 2009.01.27 -
F-Prot 4.4.4.56 2009.01.26 -
F-Secure 8.0.14470.0 2009.01.27 -
Fortinet 3.117.0.0 2009.01.27 -
GData 19 2009.01.27 Win32:Falder
Ikarus T3.1.1.45.0 2009.01.27 -
K7AntiVirus 7.10.606 2009.01.26 -
Kaspersky 7.0.0.125 2009.01.27 -
McAfee 5507 2009.01.26 -
McAfee+Artemis 5507 2009.01.26 -
Microsoft 1.4205 2009.01.27 -
NOD32 3803 2009.01.27 a variant of Win32/Kryptik.FN
Norman 5.93.01 2009.01.26 -
nProtect 2009.1.8.0 2009.01.27 -
Panda 9.5.1.2 2009.01.27 Suspicious file
PCTools 4.4.2.0 2009.01.27 -
Prevx1 V2 2009.01.27 -
Rising 21.13.42.00 2009.01.23 Trojan.Clicker.Win32.Undef.gj
SecureWeb-Gateway 6.7.6 2009.01.27 Win32.Vulnerable.gen!High (suspicious)
Sophos 4.37.0 2009.01.27 Troj/FakeAle-LE
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.27 -
TheHacker 6.3.1.5.229 2009.01.26 -
TrendMicro 8.700.0.1004 2009.01.27 -
VBA32 3.12.8.11 2009.01.26 -
ViRobot 2009.1.23.1577 2009.01.26 -
VirusBuster 4.5.11.0 2009.01.26 -
Additional information
File size: 50176 bytes
MD5...: b28ba7a8c2d90c44bc54c8adc1f6502a
SHA1..: e644145eb6bc2ba8e693fcdafecbc4e77725f3ef
SHA256: 0c3dc04b37379dfdbb70722af2e76c0e2d80c1cb4860b4235b5375fb449ff2b1
SHA512: 2c9e27fe0b31587e1bb868bb60b8b48c61b01f79d948329b15131fdddb5a8c618d54c649feb7fc2bf8a00d77a9ed16537e4eb072a1e13483771283af02dbb6b5
ssdeep: 1536:kuPidYndB7EJ7Z+icZ04RNkx10ABp/MPrbuL8:j6udMz4RNU1p8PrE8
PEiD..: -
TrID..: File type identificationWin32 Executable Generic (38.4%)Win32 Dynamic Link Library (generic) (34.2%)Clipper DOS Executable (9.1%)Generic Win/DOS Executable (9.0%)DOS Executable Generic (9.0%)
PEInfo: PE Structure information( base data )entrypointaddress.: 0x1000timedatestamp.....: 0x472deb36 (Sun Nov 04 15:54:30 2007)machinetype.......: 0x14c (I386)( 2 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0xc000 0xb800 7.99 6aa1aeb05d7f064495d2b25723286be3.rdata 0xd000 0x2000 0x800 3.97 c8f5b3506aec936fa840e9ae7bf9ba47( 4 imports ) > KERNEL32.DLL: CreateProcessA, GetSystemDefaultLCID, GlobalReAlloc, Sleep, GetDateFormatA, WideCharToMultiByte, FatalAppExitA, FindAtomA, lstrcmpi, GetCommandLineA, GetComputerNameA, SetSystemTimeAdjustment, SearchPathW, FindNextFileW, GetPrivateProfileStructA, GetModuleHandleA, ExitProcess, VirtualProtect, GetProcAddress, GetTapePosition> USER32.DLL: EnumWindowStationsA, SetScrollInfo, TabbedTextOutW, LoadAcceleratorsA, SetWindowPos, DlgDirListW, SetUserObjectInformationW, RegisterWindowMessageA> GDI32.DLL: ExtTextOutW, SetDIBitsToDevice, SetTextAlign, SetPixel, SetWindowExtEx, GetBkMode, ResetDCW, GetTextCharsetInfo, Ellipse, CreatePen, CreateBrushIndirect, GetStretchBltMode, EnumICMProfilesA, GetEnhMetaFilePaletteEntries, GetRegionData> ADVAPI32.DLL: CryptHashData, IsValidAcl, RegReplaceKeyW, OpenServiceW, ClearEventLogA, OpenBackupEventLogW, SetSecurityInfoExA, GetAuditedPermissionsFromAclW, RegUnLoadKeyW, RegisterEventSourceW, CryptDecrypt, RegRestoreKeyA, CryptGetKeyParam, LookupAccountNameA, PrivilegeCheck, CryptCreateHash, CryptDeriveKey, CryptAcquireContextA, DeleteService, RegFlushKey( 0 exports )
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

----------------------------------------------------------------------------------------

Virustotal for adsldpb.exe:

File adsldpb.exe received on 01.27.2009 13:20:50 (CET)
Current status: finished
Result: 0/35 (0%)
Compact
Print results
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.27 -
AhnLab-V3 5.0.0.2 2009.01.26 -
AntiVir 7.9.0.60 2009.01.27 -
Authentium 5.1.0.4 2009.01.26 -
Avast 4.8.1281.0 2009.01.27 -
AVG 8.0.0.229 2009.01.27 -
BitDefender 7.2 2009.01.27 -
CAT-QuickHeal 10.00 2009.01.27 -
ClamAV 0.94.1 2009.01.27 -
Comodo 948 2009.01.27 -
DrWeb 4.44.0.09170 2009.01.27 -
eSafe 7.0.17.0 2009.01.26 -
eTrust-Vet 31.6.6329 2009.01.27 -
F-Prot 4.4.4.56 2009.01.26 -
Fortinet 3.117.0.0 2009.01.27 -
GData 19 2009.01.27 -
Ikarus T3.1.1.45.0 2009.01.27 -
K7AntiVirus 7.10.606 2009.01.26 -
Kaspersky 7.0.0.125 2009.01.27 -
McAfee 5507 2009.01.26 -
McAfee+Artemis 5507 2009.01.26 -
Microsoft 1.4205 2009.01.27 -
NOD32 3803 2009.01.27 -
Norman 5.93.01 2009.01.26 -
nProtect 2009.1.8.0 2009.01.27 -
Panda 9.5.1.2 2009.01.27 -
PCTools 4.4.2.0 2009.01.27 -
Rising 21.13.42.00 2009.01.23 -
SecureWeb-Gateway 6.7.6 2009.01.27 -
Sophos 4.37.0 2009.01.27 -
Sunbelt 3.2.1835.2 2009.01.16 -
TheHacker 6.3.1.5.229 2009.01.26 -
TrendMicro 8.700.0.1004 2009.01.27 -
ViRobot 2009.1.23.1577 2009.01.26 -
VirusBuster 4.5.11.0 2009.01.26 -
Additional information
File size: 14336 bytes
MD5...: 8f078ae4ed187aaabc0a305146de6716
SHA1..: da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
SHA512: 2f82c39b6c151d52cba42357e867910732a930a6055f6a1506d20c1044e88e6f2cc2027a291c2ab98e21c2b35c2a957c3f5034bf975527001d927c5504776105
ssdeep: 384:cpiRrTp13SkhnRCwOV5JpeLCdw9rDpWCl8CbW:dT/3Ska6Lh8C
PEiD..: -
TrID..: File type identificationWin32 Executable Generic (42.3%)Win32 Dynamic Link Library (generic) (37.6%)Generic Win/DOS Executable (9.9%)DOS Executable Generic (9.9%)Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information( base data )entrypointaddress.: 0x2509timedatestamp.....: 0x41107ed6 (Wed Aug 04 06:14:46 2004)machinetype.......: 0x14c (I386)( 3 sections )name viradd virsiz rawdsiz ntrpy md5.text 0x1000 0x2c00 0x2c00 6.29 6fc4d075dfb37185ffae8eacb467b822.data 0x4000 0x1f0 0x200 1.61 553c0ebbbc67abab785f2065a062b522.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07( 4 imports ) > ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW> KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook> ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid> RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening( 0 exports )
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=8f078ae4ed187aaabc0a305146de6716' target='_blank'>http://www.threatexpert.com/report.aspx?md5=8f078ae4ed187aaabc0a305146de6716</a>
ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

------------------------------------------------------------------------------

ESET log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3803 (20090127)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f5e8ad866afa2844aed805ae4de1cf15
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-01-27 02:17:22
# local_time=2009-01-27 09:17:22 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=362759
# found=19
# scan_time=3209
C:\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe Win32/IRCBot.ADZ trojan CCFBD3C715132A6A92B7E8FAA97857C1
C:\SDFix\backups\backups.zip multiple infiltrations 1697F40E5781307C0540A4707578B02A
C:\SDFix\backups\backups.zip »ZIP »backups/2052l.exe Win32/IRCBot.ADZ trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/a.exe a variant of Win32/Kryptik.FQ trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/runsql.exe Win32/TrojanClicker.Delf.NDQ trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/sv.exe Win32/TrojanClicker.Delf.NDS trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/svc.exe a variant of Win32/Kryptik.FN trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/svhoster.exe Win32/TrojanClicker.Delf.NAS trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/svw.exe a variant of Win32/Kryptik.FN trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/svx.exe a variant of Win32/Kryptik.FN trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/svzip.exe Win32/TrojanClicker.Delf.NBA trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/vlc.exe Win32/TrojanClicker.Delf.NDJ trojan 00000000000000000000000000000000
C:\SDFix\backups\backups.zip »ZIP »backups/wdmon.exe a variant of Win32/Kryptik.EM trojan 00000000000000000000000000000000
C:\SDFix\backups\catchme.zip Win32/Spy.Zbot.GC trojan 6E9478B1628591BFF97E51C3494BD100
C:\SDFix\backups\catchme.zip »ZIP »twext.exe Win32/Spy.Zbot.GC trojan 00000000000000000000000000000000
C:\WINDOWS\tmp6373394.log Win32/TrojanClicker.Delf.NBE trojan 1E1647954134227E11493721D18FDDA9
C:\WINDOWS\tmp7605500.log Win32/TrojanClicker.Delf.NFJ trojan 6FEC5240F3EEFF7D7BE7B91DAD0291AF
C:\WINDOWS\tmp8937726.log Win32/TrojanClicker.Delf.NFL trojan B81C8525153AF5029E0AF047BC1800A9
C:\WINDOWS\system32\AcSignExtResl.exe a variant of Win32/Kryptik.FN trojan B28BA7A8C2D90C44BC54C8ADC1F6502A

#9 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 27 January 2009 - 10:42 PM

hi.

Lets continue.
  • Please uninstall the following using add/remove program at the Control Panel

    Outdated java runtimes:

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java™ 6 Update 2
    Java™ SE Runtime Environment 6 Update 1

    Then goto http://java.sun.com/javase/downloads/index.jsp and select Java Runtime Environment (JRE) 6 Update 11. Install it.

  • Backup Your Registry with ERUNT
    • Please use the following link and scroll down to ERUNT and download it.
      http://aumha.org/freeware/freeware.php
    • For version with the Installer:
      Use the setup program to install ERUNT on your computer
    • For the zipped version:
      Unzip all the files into a folder of your choice.
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

  • Please download the OTMoveIt3 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      :Processes
      explorer.exe
      
      :reg
      [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
      "C:\\DOCUME~1\\ehughes\\LOCALS~1\\Temp\\60325cahp25cas.exe"=-
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
      "AppInit_DLLs"=""
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
      "Authentication Packages"=hex(7):6D,73,76,31,5F,30,00,00
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
      [-HKEY_CLASSES_ROOT\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
      
      
      :files
      C:\DOCUME~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe
      C:\WINDOWS\system32\3076v.exe
      C:\WINDOWS\system32\AcSignExtResl.exe
      C:\WINDOWS\system32\adptifh.exe
      C:\WINDOWS\system32\fatalofi.dll
      C:\WINDOWS\system32\FDF05039E5.sys
      C:\WINDOWS\system32\KGyGaAvL.sys
      C:\WINDOWS\system32\kirojowe.dll
      C:\WINDOWS\system32\vipanezo.dll
      C:\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe
      C:\Documents and Settings\Rmartin\Local Settings\Temporary Internet Files\Content.IE5\9V8BV6VB\interno-porn[1].htm
      C:\WINDOWS\tmp6373394.log
      C:\WINDOWS\tmp7605500.log
      C:\WINDOWS\tmp8937726.log
      C:\WINDOWS\system32\vasidifu.dll 
      C:\WINDOWS\system32\kokemabo.dll
      c:\windows\system32\wojukoro.dll
      C:\WINDOWS\system32\risowupa.dll
      c:\windows\system32\tunayiri.dll
      C:\WINDOWS\system32\ewaletoj.ini
      C:\WINDOWS\system32\oyejalol.ini
      C:\WINDOWS\system32\ogoruweh.ini
      C:\WINDOWS\system32\uyujozet.ini
      C:\WINDOWS\system32\ozajetoj.ini
      C:\WINDOWS\system32\isogefel.ini
      C:\WINDOWS\system32\omapogoj.ini
      C:\WINDOWS\system32\ayonepor.ini
      C:\WINDOWS\system32\umisovid.ini
      C:\WINDOWS\system32\enivopin.ini
      C:\WINDOWS\system32\aputevip.ini
      C:\WINDOWS\system32\utegekaj.ini
      C:\WINDOWS\system32\izohanek.ini
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt3
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

  • Download Deckard's Association File Tool DAFT and save it to your desktop.
    • Double click on it and clickRun.
    • Click on the Scan button.
    • If it finds faulty file associations, they will appear in red beside a checkbox
    • Click Save Log and save daft.txt
    • Then place a checkmark (tick) in the boxes in question.
    • Click the Fix button.
    • Copy and paste the content of daft.txt to your reply.
  • Please do a scan with Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    Click on the Accept button and install any components it needs.
    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
  • How's your computer now?

In your reply, please post

Otmoveit log
DAFT.txt
Kaspersky scan result
RSIT's log.txt
Answer to my question


Mark

#10 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 28 January 2009 - 01:04 PM

Hello,

OTmoveit log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\DOCUME~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\"AppInit_DLLs"|"" /E : value set successfully!
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):6D,73,76,31,5F,30,00,00 /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}\\ not found.
========== FILES ==========
File/Folder C:\DOCUME~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe not found.
File/Folder C:\WINDOWS\system32\3076v.exe not found.
C:\WINDOWS\system32\AcSignExtResl.exe moved successfully.
File/Folder C:\WINDOWS\system32\adptifh.exe not found.
File/Folder C:\WINDOWS\system32\fatalofi.dll not found.
C:\WINDOWS\system32\FDF05039E5.sys moved successfully.
C:\WINDOWS\system32\KGyGaAvL.sys moved successfully.
File/Folder C:\WINDOWS\system32\kirojowe.dll not found.
File/Folder C:\WINDOWS\system32\vipanezo.dll not found.
C:\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe moved successfully.
C:\Documents and Settings\Rmartin\Local Settings\Temporary Internet Files\Content.IE5\9V8BV6VB\interno-porn[1].htm moved successfully.
C:\WINDOWS\tmp6373394.log moved successfully.
C:\WINDOWS\tmp7605500.log moved successfully.
C:\WINDOWS\tmp8937726.log moved successfully.
File/Folder C:\WINDOWS\system32\vasidifu.dll not found.
File/Folder C:\WINDOWS\system32\kokemabo.dll not found.
File/Folder c:\windows\system32\wojukoro.dll not found.
File/Folder C:\WINDOWS\system32\risowupa.dll not found.
File/Folder c:\windows\system32\tunayiri.dll not found.
C:\WINDOWS\system32\ewaletoj.ini moved successfully.
C:\WINDOWS\system32\oyejalol.ini moved successfully.
C:\WINDOWS\system32\ogoruweh.ini moved successfully.
C:\WINDOWS\system32\uyujozet.ini moved successfully.
C:\WINDOWS\system32\ozajetoj.ini moved successfully.
C:\WINDOWS\system32\isogefel.ini moved successfully.
C:\WINDOWS\system32\omapogoj.ini moved successfully.
C:\WINDOWS\system32\ayonepor.ini moved successfully.
C:\WINDOWS\system32\umisovid.ini moved successfully.
C:\WINDOWS\system32\enivopin.ini moved successfully.
C:\WINDOWS\system32\aputevip.ini moved successfully.
C:\WINDOWS\system32\utegekaj.ini moved successfully.
C:\WINDOWS\system32\izohanek.ini moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01282009_084616

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7dc.dat not found!



----------------------------------------------------------------------------------------------



DAFT link does not seem to be working, tried other links to it and they did not work either


----------------------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, January 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 28, 2009 13:34:43
Records in database: 1720439


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
L:\

Scan statistics
Files scanned 163629
Threat name 12
Infected objects 13
Suspicious objects 1
Duration of the scan 02:25:49

File name Threat name Threats count
C:\Documents and Settings\ehughes\My Documents\hughes backup 082607.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\SDFix\backups\backups.zip Infected: Worm.Win32.Pinit.gen 2

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Hupigon.fmtm 1

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Hupigon.fmvv 1

C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Osewlone.as 1

C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Agent.bcnh 1

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Agent.abcf 1

C:\SDFix\backups\catchme.zip Infected: Trojan-Spy.Win32.Zbot.lgm 1

C:\_OTMoveIt\MovedFiles\01282009_084616\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe Infected: Worm.Win32.Pinit.gen 1

C:\_OTMoveIt\MovedFiles\01282009_084616\Documents and Settings\Rmartin\Local Settings\Temporary Internet Files\Content.IE5\9V8BV6VB\interno-porn[1].htm Infected: Trojan-Downloader.JS.Iframe.adv 1

C:\_OTMoveIt\MovedFiles\01282009_084616\WINDOWS\tmp6373394.log Infected: Virus.Win32.AutoRun.aku 1

C:\_OTMoveIt\MovedFiles\01282009_084616\WINDOWS\tmp7605500.log Infected: Trojan-Clicker.Win32.Osewlone.ap 1

C:\_OTMoveIt\MovedFiles\01282009_084616\WINDOWS\tmp8937726.log Infected: Trojan.Win32.Monderc.o 1

The scan was stopped by the user.

(stopped because it had moved on into other networked computers


-------------------------------------------------------------------------------------------------------------


RSITS logs:

info.txt logfile of random's system information tool 1.05 2009-01-28 12:58:30

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
-->MsiExec.exe /I{8A42F680-2DD6-11D4-9A8C-0040F6982C20}
-->MsiExec.exe /I{A2529672-574A-4A99-86A5-C1770A0E31FE}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG 7.5-->C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Belkin Wireless Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45401A03-BDF0-448F-9B0F-3882B96F6692}\setup.exe" -l0x9
Brother Internet Fax 2.02-->C:\Program Files\Brother\BRMFLPRO\UnInst.exe
Brother Internet Fax Driver-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\DeIsL2.isu -cbruninf2.dll
Carlson Software 2006-->MsiExec.exe /I{D2B92EA4-5486-47CD-A799-507751089EB2}
Dell Driver Reset Tool-->MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}
Digital Content Portal-->MsiExec.exe /I{B702CCCE-3176-4DBF-B932-D1B8F402F330}
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB909394)-->"C:\WINDOWS\$NtUninstallKB909394$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Care Pack Core-->MsiExec.exe /I{5715A83C-6FE9-4730-A6E2-D6584584DD01}
HP Care Pack Products-->MsiExec.exe /I{E1A7C08D-1724-4A94-9E14-F83AB1530B16}
HP LaserJet P3005 Install Notes-->MsiExec.exe /I{403BC48C-BCAA-47EA-9841-F26599A81E48}
HP LaserJet P3005 User Guide-->MsiExec.exe /I{CEF89BE7-8948-478A-A452-3F0E9F69233D}
HP LaserJet P3005-->"C:\Program Files\Hewlett-Packard\Install Engines\HP LaserJet P3005\setup.exe" /x
HP LaserJet P3005-->msiexec /x{748B1880-9025-439D-B5D1-E078F2329993}
HydroCAD-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\HydroCAD\Deploy.log"
Intel Matrix Storage Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}\setup.exe" -l0409 -INTELUNINST
Intel® PRO Network Connections Drivers-->Prounstl.exe
Intel® PROSet for Wired Connections-->MsiExec.exe /I{4CEA6811-DFAD-4892-828D-49941FE3B779}
Iomega HotBurn Pro-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CCB1507A-AAEA-4778-AC4B-DD5EAB1A961E}\Setup.exe" -l0x9 UNINSTALL
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Macromedia Flash Player-->MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Maptech Terrain Navigator-->C:\WINDOWS\TSuninst.exe C:\Program Files\Maptech\Terrain Navigator
MCU-->MsiExec.exe /I{D2988E9B-C73F-422C-AD4B-A66EBE257120}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Outlook 2003-->MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
PaperPort-->MsiExec.exe /I{A17EABB6-D0C6-44E5-820C-72DC7F495064}
Pdf995-->C:\Program Files\pdf995\setup.exe uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Shadow Copy Client-->MsiExec.exe /I{23E5032B-56CA-4C19-A72E-B50161DB82CA}
Sonic Activation Module-->MsiExec.exe /I{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
USB 2.0 Wireless LAN Card Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\setup.exe" -l0x9 -L0x9 -removeonly
VIP Task Manager Professional 2.8.1.428-->"C:\Program Files\VIP Quality Software\VIP Task Manager Professional\unins000.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10 Hotfix - KB894476-->"C:\WINDOWS\$NtUninstallKB894476$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 10-->MsiExec.exe /I{33BB4982-DC52-4886-A03B-F4C5C80BEE89}
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: AVG 7.5.552

System event log

Computer Name: DELL06
Event Code: 7036
Message: The Windows Firewall/Internet Connection Sharing (ICS) service entered the stopped state.

Record Number: 27
Source Name: Service Control Manager
Time Written: 20090112071332.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 7036
Message: The SSDP Discovery Service service entered the running state.

Record Number: 26
Source Name: Service Control Manager
Time Written: 20090112071317.000000-300
Event Type: information
User:

Computer Name: DELL06
Event Code: 7035
Message: The SSDP Discovery Service service was successfully sent a start control.

Record Number: 25
Source Name: Service Control Manager
Time Written: 20090112071317.000000-300
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: DELL06
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Record Number: 24
Source Name: W32Time
Time Written: 20090112071311.000000-300
Event Type: error
User:

Computer Name: DELL06
Event Code: 14
Message: The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 15 minutes.

Record Number: 23
Source Name: W32Time
Time Written: 20090112071311.000000-300
Event Type: warning
User:

Application event log

Computer Name: DELL06
Event Code: 11729
Message: Product: Microsoft ActiveSync -- Configuration failed.

Record Number: 15767
Source Name: MsiInstaller
Time Written: 20090120111030.000000-300
Event Type: information
User: LANDTECH\RMartin

Computer Name: DELL06
Event Code: 1001
Message: Detection of product '{99052DB7-9592-4522-A558-5417BBAD48EE}', feature 'ActiveSync' failed during request for component '{25AE009D-012F-4A42-A341-259F0FB629A0}'

Record Number: 15766
Source Name: MsiInstaller
Time Written: 20090120111028.000000-300
Event Type: warning
User: LANDTECH\RMartin

Computer Name: DELL06
Event Code: 1004
Message: Detection of product '{99052DB7-9592-4522-A558-5417BBAD48EE}', feature 'ActiveSync', component '{13611E77-B9F9-43C7-85A6-1CB12FD67A1D}' failed. The resource 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows CE Services\Defname' does not exist.

Record Number: 15765
Source Name: MsiInstaller
Time Written: 20090120111028.000000-300
Event Type: warning
User: LANDTECH\RMartin

Computer Name: DELL06
Event Code: 11729
Message: Product: Microsoft ActiveSync -- Configuration failed.

Record Number: 15764
Source Name: MsiInstaller
Time Written: 20090120111028.000000-300
Event Type: information
User: LANDTECH\RMartin

Computer Name: DELL06
Event Code: 1001
Message: Detection of product '{99052DB7-9592-4522-A558-5417BBAD48EE}', feature 'ActiveSync' failed during request for component '{25AE009D-012F-4A42-A341-259F0FB629A0}'

Record Number: 15763
Source Name: MsiInstaller
Time Written: 20090120111026.000000-300
Event Type: warning
User: LANDTECH\RMartin

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Autodesk Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0404
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"ASLOGDIR"=C:\Program Files\Intuit\QuickBooks 2006\
"SBSSERVER"=lt-sbs1

-----------------EOF-----------------


Logfile of random's system information tool 1.05 (written by random/random)
Run by Ehughes at 2009-01-28 12:58:27
Microsoft Windows XP Professional Service Pack 2
System drive C: has 47 GB (65%) free of 73 GB
Total RAM: 1022 MB (60% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58, on 2009-01-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Dfawep\bin\hpbwepdelay.exe
C:\Documents and Settings\ehughes\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Ehughes.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://lt-sbs1/ConnectComputer/nshelp.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = landtech.local
O17 - HKLM\Software\..\Telephony: DomainName = landtech.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = landtech.local
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7792 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-28 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-01-28 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-04-24 98304]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-10-14 155648]
"PaperPort PTD"=C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe [2004-04-14 57393]
"IndexSearch"=C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe [2004-04-14 40960]
"MSKDetectorExe"=C:\Program Files\McAfee\SpamKiller\MSKDetct.exe [2005-08-12 1121792]
"Drag'n'Drop_Autolaunch"=C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe [2003-01-30 86016]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-20 590848]
"hpbdfawep"=C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe [2006-07-12 626688]
"pdfSaver3"= []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-28 136600]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgwlntf]
C:\WINDOWS\system32\avgwlntf.dll [2007-12-10 9216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PRISMAPI.DLL]
C:\WINDOWS\system32\PRISMAPI.DLL [2005-12-22 450646]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IPC Configuration Utility - IPC Configuration Utility

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\vasidifu.dll
C:\WINDOWS\system32\kokemabo.dll
C:\WINDOWS\system32\risowupa.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe:*:Enabled:QuickBooks 2006 Data Manager"
"C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe"="C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe:*:Enabled:ibackup_ssl_sch_947"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Vembu\StoreGrid\bin\StoreGrid.exe"="C:\Program Files\Vembu\StoreGrid\bin\StoreGrid.exe:*:Disabled:StoreGrid"
"C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe"="C:\Program Files\IBackup for Windows\ibackup_ssl_sch_947.exe:*:Enabled:ibackup_ssl_sch_947"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"D:\Temp\InstEng\Setup.exe"="D:\Temp\InstEng\Setup.exe:*:Enabled:Hewlett-Packard Installer"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\bcmwltry.exe"="C:\WINDOWS\system32\bcmwltry.exe:*:Enabled:bcmwltry"
"C:\WINDOWS\system32\wbem\wmiprvse.exe"="C:\WINDOWS\system32\wbem\wmiprvse.exe:*:Enabled:wmiprvse"
"C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"="C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe:*:Enabled:pdfSaver3"
"C:\WINDOWS\system32\cmd.exe"="C:\WINDOWS\system32\cmd.exe:*:Enabled:cmd"

======File associations======

.scr - open - "C:\WINDOWS\notepad.exe" "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2009-01-28 08:46:16 ----D---- C:\_OTMoveIt
2009-01-28 08:35:34 ----A---- C:\WINDOWS\system32\javaws.exe
2009-01-28 08:35:34 ----A---- C:\WINDOWS\system32\javaw.exe
2009-01-28 08:35:34 ----A---- C:\WINDOWS\system32\java.exe
2009-01-28 08:35:34 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-01-28 07:13:08 ----SHD---- C:\Config.Msi
2009-01-28 07:10:47 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-27 07:59:20 ----D---- C:\Program Files\EsetOnlineScanner
2009-01-27 07:32:57 ----D---- C:\WINDOWS\ERDNT
2009-01-27 07:32:57 ----D---- C:\Qoobox
2009-01-26 14:15:38 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-01-26 14:15:31 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-01-26 14:15:25 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-01-26 14:15:19 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-01-26 14:15:12 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-26 14:15:05 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2009-01-26 14:14:13 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-01-26 14:14:06 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-01-26 14:13:58 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-01-26 14:13:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-01-26 14:13:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-01-26 14:13:24 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2009-01-26 14:12:58 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-01-26 14:12:51 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-26 14:12:44 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-26 14:12:37 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-01-26 14:12:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-01-26 14:12:21 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-01-26 14:12:06 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-01-26 14:12:00 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-26 14:11:53 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-01-26 14:11:46 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-26 14:11:39 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-01-26 14:11:17 ----HDC---- C:\WINDOWS\$NtUninstallKB936782_WMP10$
2009-01-26 13:16:13 ----D---- C:\rsit
2009-01-26 10:34:14 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-01-26 10:29:49 ----D---- C:\Documents and Settings\ehughes\Application Data\Malwarebytes
2009-01-26 10:29:40 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-26 10:29:40 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-26 10:12:43 ----D---- C:\WINDOWS\ERUNT
2009-01-26 07:44:02 ----D---- C:\SDFix
2009-01-21 13:02:19 ----D---- C:\Program Files\Trend Micro
2009-01-21 09:12:38 ----RHD---- C:\$VAULT$.AVG
2009-01-08 09:16:11 ----D---- C:\Documents and Settings\ehughes\Application Data\MSNInstaller
2008-12-30 11:31:14 ----A---- C:\WINDOWS\cdplayer.ini
2008-12-30 11:29:40 ----D---- C:\Documents and Settings\ehughes\Application Data\Real

======List of files/folders modified in the last 1 months======

2009-01-28 12:56:40 ----D---- C:\WINDOWS\Prefetch
2009-01-28 11:38:35 ----A---- C:\WINDOWS\brwmark.ini
2009-01-28 11:38:35 ----A---- C:\WINDOWS\BRPP2KA.INI
2009-01-28 10:46:46 ----D---- C:\WINDOWS\security
2009-01-28 08:50:20 ----D---- C:\WINDOWS\Temp
2009-01-28 08:48:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-28 08:46:17 ----D---- C:\WINDOWS\system32
2009-01-28 08:46:17 ----D---- C:\WINDOWS
2009-01-28 08:42:23 ----D---- C:\WINDOWS\SxsCaPendDel
2009-01-28 08:35:18 ----SHD---- C:\WINDOWS\Installer
2009-01-28 08:35:16 ----D---- C:\Program Files\Java
2009-01-28 08:27:35 ----D---- C:\Program Files\Common Files
2009-01-28 07:19:16 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-28 07:17:57 ----HD---- C:\WINDOWS\inf
2009-01-28 07:17:52 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-28 07:17:15 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-28 07:14:18 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-01-28 07:13:54 ----D---- C:\Program Files\Common Files\Adobe
2009-01-28 07:13:54 ----D---- C:\Program Files\Adobe
2009-01-28 07:06:57 ----D---- C:\Documents and Settings\ehughes\Application Data\AVG7
2009-01-27 07:59:20 ----RD---- C:\Program Files
2009-01-27 07:59:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-01-27 07:04:48 ----D---- C:\WINDOWS\system32\Macromed
2009-01-26 14:15:38 ----D---- C:\WINDOWS\system32\drivers
2009-01-26 14:15:37 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-26 14:15:35 ----A---- C:\WINDOWS\imsins.BAK
2009-01-26 14:15:26 ----D---- C:\Program Files\Messenger
2009-01-26 14:14:50 ----D---- C:\Program Files\Internet Explorer
2009-01-26 14:12:06 ----D---- C:\WINDOWS\WinSxS
2009-01-26 10:34:13 ----D---- C:\WINDOWS\Debug
2009-01-26 10:28:29 ----D---- C:\WINDOWS\Help
2009-01-26 10:19:32 ----SHD---- C:\WINDOWS\CSC
2009-01-26 10:12:53 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-26 10:06:29 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-26 07:13:22 ----D---- C:\Program Files\Outlook Express
2009-01-23 09:35:16 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-01-23 09:35:15 ----D---- C:\WINDOWS\system
2009-01-21 12:49:51 ----D---- C:\Documents and Settings\All Users\Application Data\pdf995
2009-01-21 09:23:29 ----SD---- C:\Documents and Settings\ehughes\Application Data\Microsoft
2009-01-21 08:52:20 ----D---- C:\Program Files\Microsoft ActiveSync
2009-01-21 08:51:32 ----D---- C:\Program Files\Common Files\Intuit
2009-01-21 08:51:17 ----RSD---- C:\WINDOWS\Fonts
2009-01-21 08:48:52 ----D---- C:\WINDOWS\system32\QuickTime
2009-01-21 08:48:52 ----D---- C:\Program Files\QuickTime
2009-01-21 08:48:26 ----D---- C:\Program Files\Common Files\Real
2009-01-15 09:07:35 ----D---- C:\Program Files\Carlson Software 2006
2009-01-08 09:19:46 ----D---- C:\Program Files\The_Pirate_Bay
2009-01-08 09:19:46 ----D---- C:\Program Files\Conduit
2009-01-08 09:16:13 ----D---- C:\Program Files\MSN
2009-01-08 09:13:49 ----D---- C:\Program Files\Roxio
2009-01-08 09:12:26 ----D---- C:\Program Files\Myers
2009-01-08 09:11:39 ----D---- C:\WINDOWS\ShellNew
2009-01-08 09:10:30 ----D---- C:\WINDOWS\occache
2009-01-08 09:10:08 ----D---- C:\Program Files\Google
2009-01-08 09:10:07 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-08 09:06:41 ----D---- C:\Program Files\Dell
2009-01-08 09:04:41 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-30 10:46:25 ----D---- C:\Documents and Settings\All Users\Application Data\QuickTime

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-20 10760]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2007-12-20 26952]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.1; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2005-10-12 20747]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2004-08-03 87424]
R2 Machnm32;Machnm32 Driver; \??\C:\WINDOWS\system32\Machnm32.sys []
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2007-08-27 15781]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 BCM43XX;BCM 802.11b Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2004-03-22 338176]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2005-10-25 27264]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 15263]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver; C:\WINDOWS\System32\Drivers\BrSerIf.sys [2004-06-12 51712]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver; C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2004-01-10 11648]
S3 catchme;catchme; \??\C:\DOCUME~1\ehughes\LOCALS~1\Temp\catchme.sys []
S3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2005-11-11 353728]
S3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2005-08-25 176128]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter; C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-09-04 19034]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2004-08-03 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2004-08-03 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2004-08-03 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2004-08-03 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2004-08-03 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2004-08-03 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2004-08-03 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-12-11 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-12-10 49664]
R2 AvgCoreSvc;AVG7 Resident Shield Service; C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe [2007-12-10 192512]
R2 IAANTMon;Intel® Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2002-09-04 73728]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-28 152984]
R2 PRISMSVC;PRISMSVC; C:\WINDOWS\system32\PRISMSVC.EXE [2005-12-22 61526]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-04-05 1174152]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\WLTRYSVC.EXE [2004-03-22 45056]
S2 Brother XP spl Service;BrSplService; C:\WINDOWS\system32\brsvc01a.exe [2002-04-11 57344]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBPRO.EXE [2005-05-20 81920]
S3 HP Status Server;HP Status Server; C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPBOID.EXE [2004-10-16 73728]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------



The computer seems to be working great, no warnings or other oddities happening, Thank you

#11 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 29 January 2009 - 07:01 AM

hi.

Not over yet. Some files are just hard to delete though a little bit ok now. We will install first recovery console.
We will run combofix. Your network anti virus would not be a problem but you have to disable the local installation.
You can find it in the system tray at the right bottom part of your screen.



With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.

---------------------------------------------------------------------
Transfer all files you just downloaded, to the desktop of the infected computer.
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    Posted Image
  • At the next prompt, click 'No' .
After you successfully installed the recovery console, please proceed with instructions below.


  • 1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    EXTRA::

    FILE::
    C:\DOCUME~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe
    C:\WINDOWS\system32\3076v.exe
    C:\WINDOWS\system32\adptifh.exe
    C:\WINDOWS\system32\fatalofi.dll
    C:\WINDOWS\system32\kirojowe.dll
    C:\WINDOWS\system32\vipanezo.dll
    C:\WINDOWS\system32\vasidifu.dll
    C:\WINDOWS\system32\kokemabo.dll
    c:\windows\system32\wojukoro.dll
    C:\WINDOWS\system32\risowupa.dll
    c:\windows\system32\tunayiri.dll

    REGISTRY::
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):6D,73,76,31,5F,30,00,00



    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt


Mark

Edited by mas_pogi, 29 January 2009 - 07:01 AM.


#12 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 29 January 2009 - 08:33 AM

Sorry I mistakenly hit yes to continue scanning instead of no and entering the quote. The first log is from when I hit yes, the second is from entering the quote. Also I'm not sure what QooBox is


ComboFix 09-01-21.04 - Ehughes 2009-01-29 8:02:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.374 [GMT -5:00]
Running from: c:\documents and settings\ehughes\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ehughes\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\ahirafed.ini
c:\windows\system32\uwizoreg.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 08:46 . 2009-01-28 08:46 <DIR> d-------- C:\_OTMoveIt
2009-01-28 08:35 . 2009-01-28 08:35 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 08:35 . 2009-01-28 08:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-27 07:59 . 2009-01-27 09:17 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-26 13:16 . 2009-01-28 12:58 <DIR> d-------- C:\rsit
2009-01-26 10:34 . 2009-01-26 11:23 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-26 10:33 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-26 10:33 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-26 10:33 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-26 10:31 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2009-01-26 10:29 . 2009-01-26 10:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 10:29 . 2009-01-26 10:29 <DIR> d-------- c:\documents and settings\ehughes\Application Data\Malwarebytes
2009-01-26 10:29 . 2009-01-26 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 10:29 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 10:29 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 10:12 . 2009-01-26 10:12 <DIR> d-------- c:\windows\ERUNT
2009-01-26 07:44 . 2009-01-26 10:25 <DIR> d-------- C:\SDFix
2009-01-21 13:02 . 2009-01-21 13:02 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 09:12 . 2009-01-26 11:11 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-08 09:16 . 2009-01-08 09:16 <DIR> d-------- c:\documents and settings\ehughes\Application Data\MSNInstaller
2009-01-08 08:23 . 2009-01-21 07:03 162 --ahs---- c:\windows\system32\3893667479.dat
2008-12-30 11:31 . 2008-12-30 11:31 25 --a------ c:\windows\cdplayer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 12:24 --------- d-----w c:\documents and settings\ehughes\Application Data\AVG7
2009-01-28 20:40 --------- d-----w c:\program files\Carlson Software 2006
2009-01-28 13:35 --------- d-----w c:\program files\Java
2009-01-28 12:13 --------- d-----w c:\program files\Common Files\Adobe
2009-01-21 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-01-21 13:52 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-21 13:51 --------- d-----w c:\program files\Common Files\Intuit
2009-01-21 13:48 --------- d-----w c:\program files\QuickTime
2009-01-21 13:48 --------- d-----w c:\program files\Common Files\Real
2009-01-20 16:06 --------- d-----w c:\documents and settings\Rmartin\Application Data\AVG7
2009-01-08 14:19 --------- d-----w c:\program files\The_Pirate_Bay
2009-01-08 14:19 --------- d-----w c:\program files\Conduit
2009-01-08 14:13 --------- d-----w c:\program files\Roxio
2009-01-08 14:12 --------- d-----w c:\program files\Myers
2009-01-08 14:10 --------- d-----w c:\program files\Google
2009-01-08 14:06 --------- d-----w c:\program files\Dell
2009-01-08 14:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 15:46 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2008-12-11 16:30 845 ----a-w C:\ehx1lwww1ht2.exe.exe
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-24 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Drag'n'Drop_Autolaunch"="c:\program files\Iomega HotBurn Pro\Autolaunch.exe" [2003-01-30 86016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-20 590848]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-07-12 626688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-11 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-04-24 921704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-12-10 14:34 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-22 20:08 450646 c:\windows\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2008-09-03 2304]
R4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-04-24 61526]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\ks-959.sys [2005-07-22 19034]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-pdfSaver3 - (no file)
SharedTaskScheduler-IPC Configuration Utility - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.dell.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 08:07:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\PRISMGNA.DLL
c:\windows\system32\avgwlntf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\windows\system32\PRISMSVR.exe
.
**************************************************************************
.
Completion time: 2009-01-29 8:09:54 - machine was rebooted [Ehughes]
ComboFix-quarantined-files.txt 2009-01-29 13:09:51

Pre-Run: 49,200,480,256 bytes free
Post-Run: 49,331,666,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

169 --- E O F --- 2009-01-28 12:17:58


-----------------------------------------------------------------------------------------------------------------------


ComboFix 09-01-21.04 - Ehughes 2009-01-29 8:22:37.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.379 [GMT -5:00]
Running from: c:\documents and settings\ehughes\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ehughes\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\ehughes\LOCALS~1\Temp\60325cahp25cas.exe
c:\windows\system32\3076v.exe
c:\windows\system32\adptifh.exe
c:\windows\system32\fatalofi.dll
c:\windows\system32\kirojowe.dll
c:\windows\system32\kokemabo.dll
c:\windows\system32\risowupa.dll
c:\windows\system32\tunayiri.dll
c:\windows\system32\vasidifu.dll
c:\windows\system32\vipanezo.dll
c:\windows\system32\wojukoro.dll
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 08:46 . 2009-01-28 08:46 <DIR> d-------- C:\_OTMoveIt
2009-01-28 08:35 . 2009-01-28 08:35 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 08:35 . 2009-01-28 08:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-27 07:59 . 2009-01-27 09:17 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-01-26 13:16 . 2009-01-28 12:58 <DIR> d-------- C:\rsit
2009-01-26 10:34 . 2009-01-26 11:23 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-26 10:33 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-01-26 10:33 . 2008-06-13 08:10 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-01-26 10:33 . 2008-10-16 15:38 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-01-26 10:31 . 2008-05-01 09:30 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2009-01-26 10:29 . 2009-01-26 10:29 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 10:29 . 2009-01-26 10:29 <DIR> d-------- c:\documents and settings\ehughes\Application Data\Malwarebytes
2009-01-26 10:29 . 2009-01-26 10:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 10:29 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 10:29 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 10:12 . 2009-01-26 10:12 <DIR> d-------- c:\windows\ERUNT
2009-01-26 07:44 . 2009-01-26 10:25 <DIR> d-------- C:\SDFix
2009-01-21 13:02 . 2009-01-21 13:02 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 09:12 . 2009-01-26 11:11 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-08 09:16 . 2009-01-08 09:16 <DIR> d-------- c:\documents and settings\ehughes\Application Data\MSNInstaller
2009-01-08 08:23 . 2009-01-21 07:03 162 --ahs---- c:\windows\system32\3893667479.dat
2008-12-30 11:31 . 2008-12-30 11:31 25 --a------ c:\windows\cdplayer.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 12:24 --------- d-----w c:\documents and settings\ehughes\Application Data\AVG7
2009-01-28 20:40 --------- d-----w c:\program files\Carlson Software 2006
2009-01-28 13:35 --------- d-----w c:\program files\Java
2009-01-28 12:13 --------- d-----w c:\program files\Common Files\Adobe
2009-01-21 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\pdf995
2009-01-21 13:52 --------- d-----w c:\program files\Microsoft ActiveSync
2009-01-21 13:51 --------- d-----w c:\program files\Common Files\Intuit
2009-01-21 13:48 --------- d-----w c:\program files\QuickTime
2009-01-21 13:48 --------- d-----w c:\program files\Common Files\Real
2009-01-20 16:06 --------- d-----w c:\documents and settings\Rmartin\Application Data\AVG7
2009-01-08 14:19 --------- d-----w c:\program files\The_Pirate_Bay
2009-01-08 14:19 --------- d-----w c:\program files\Conduit
2009-01-08 14:13 --------- d-----w c:\program files\Roxio
2009-01-08 14:12 --------- d-----w c:\program files\Myers
2009-01-08 14:10 --------- d-----w c:\program files\Google
2009-01-08 14:06 --------- d-----w c:\program files\Dell
2009-01-08 14:04 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 15:46 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 16:30 845 ----a-w C:\ehx1lwww1ht2.exe.exe
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 ------w c:\windows\system32\dllcache\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-24 98304]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Drag'n'Drop_Autolaunch"="c:\program files\Iomega HotBurn Pro\Autolaunch.exe" [2003-01-30 86016]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-20 590848]
"hpbdfawep"="c:\program files\HP\Dfawep\bin\hpbdfawep.exe" [2006-07-12 626688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-11 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2006-04-24 921704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-12-10 14:34 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PRISMAPI.DLL]
2005-12-22 20:08 450646 c:\windows\system32\PRISMAPI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R4 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2008-09-03 2304]
R4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2006-04-24 61526]
S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\ks-959.sys [2005-07-22 19034]

--- Other Services/Drivers In Memory ---

*Deregistered* - dnbudf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.dell.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 08:24:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\PRISMGNA.DLL
c:\windows\system32\avgwlntf.dll
.
Completion time: 2009-01-29 8:25:54
ComboFix-quarantined-files.txt 2009-01-29 13:25:52
ComboFix2.txt 2009-01-29 13:16:24
ComboFix3.txt 2009-01-29 13:09:55

Pre-Run: 49,290,940,416 bytes free
Post-Run: 49,277,030,400 bytes free

146 --- E O F --- 2009-01-28 12:17:58

#13 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 30 January 2009 - 11:49 AM

hi.

LEt check if their are still remnants before I give my final speech.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please post back the result.

Mark

#14 sledneck8

sledneck8
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:15 PM

Posted 02 February 2009 - 03:33 PM

Here is the scan log:


KASPERSKY ONLINE SCANNER 7 REPORT
Monday, February 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, February 02, 2009 12:50:33
Records in database: 1737508


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
L:\

Scan statistics
Files scanned 126425
Threat name 13
Infected objects 44
Suspicious objects 1
Duration of the scan 02:01:52

File name Threat name Threats count
C:\Documents and Settings\ehughes\My Documents\hughes backup 082607.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\SDFix\backups\backups.zip Infected: Worm.Win32.Pinit.gen 2

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Hupigon.fmtm 1

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Hupigon.fmvv 1

C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Osewlone.as 1

C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Agent.bcnh 1

C:\SDFix\backups\backups.zip Infected: Backdoor.Win32.Agent.abcf 1

C:\SDFix\backups\catchme.zip Infected: Trojan-Spy.Win32.Zbot.lgm 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP858\A0049957.dll Infected: Trojan.Win32.Monder.aede 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP859\A0050123.dll Infected: Trojan.Win32.Monder.aede 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053697.exe Infected: Trojan-Clicker.Win32.Osewlone.ap 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053698.exe Infected: Trojan.Win32.Monderc.o 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053699.exe Infected: Virus.Win32.AutoRun.aku 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053700.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053701.exe Infected: Backdoor.Win32.Agent.abcf 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053702.exe Infected: Trojan-Clicker.Win32.Osewlone.as 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053703.exe Infected: Trojan-Downloader.Win32.Agent.bcnh 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053704.exe Infected: Backdoor.Win32.Hupigon.fmvv 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053705.exe Infected: Backdoor.Win32.Hupigon.fmtm 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053709.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053711.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP869\A0053712.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP885\A0061850.exe Infected: Trojan.Win32.Monderc.o 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP885\A0061851.exe Infected: Trojan-Clicker.Win32.Osewlone.ap 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP885\A0061852.exe Infected: Virus.Win32.AutoRun.aku 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064485.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064488.exe Infected: Backdoor.Win32.Hupigon.fmtm 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064489.exe Infected: Backdoor.Win32.Hupigon.fmvv 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064491.exe Infected: Trojan-Clicker.Win32.Osewlone.as 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064494.exe Infected: Trojan-Downloader.Win32.Agent.bcnh 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064495.exe Infected: Backdoor.Win32.Agent.abcf 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064496.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064508.exe Infected: Worm.Win32.Pinit.gen 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064510.exe Infected: Backdoor.Win32.Hupigon.fmtm 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064511.exe Infected: Backdoor.Win32.Hupigon.fmvv 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064513.exe Infected: Trojan-Clicker.Win32.Osewlone.as 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064516.exe Infected: Trojan-Downloader.Win32.Agent.bcnh 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064517.exe Infected: Backdoor.Win32.Agent.abcf 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP887\A0064518.exe Infected: Worm.Win32.Pinit.gen 1

C:\_OTMoveIt\MovedFiles\01282009_084616\Documents and Settings\Rmartin\Local Settings\Application Data\AcSignOptd.exe Infected: Worm.Win32.Pinit.gen 1

C:\_OTMoveIt\MovedFiles\01282009_084616\Documents and Settings\Rmartin\Local Settings\Temporary Internet Files\Content.IE5\9V8BV6VB\interno-porn[1].htm Infected: Trojan-Downloader.JS.Iframe.adv 1

C:\_OTMoveIt\MovedFiles\01282009_084616\WINDOWS\tmp6373394.log Infected: Virus.Win32.AutoRun.aku 1

C:\_OTMoveIt\MovedFiles\01282009_084616\WINDOWS\tmp7605500.log Infected: Trojan-Clicker.Win32.Osewlone.ap 1

C:\_OTMoveIt\MovedFiles\01282009_084616\WINDOWS\tmp8937726.log Infected: Trojan.Win32.Monderc.o 1

The scan was stopped by the user.

#15 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:06:15 PM

Posted 03 February 2009 - 05:59 AM

hi.

Ok. Lets continue. :thumbup2:
  • Backup Your Registry with ERUNT
    • Please use the following link and scroll down to ERUNT and download it.
      http://aumha.org/freeware/freeware.php
    • For version with the Installer:
      Use the setup program to install ERUNT on your computer
    • For the zipped version:
      Unzip all the files into a folder of your choice.
    Click Erunt.exe to backup your registry to the folder of your choice.

    Note: to restore your registry, go to the folder and start ERDNT.exe

  • Copy and paste the following text into Notepad:

    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\.scr]
    @="scrfile"
    
    [HKEY_CLASSES_ROOT\.scr\OpenWithList]
    
    [HKEY_CLASSES_ROOT\.scr\OpenWithList\devenv.exe]
    @=""
    
    [HKEY_CLASSES_ROOT\scrfile]
    @="Screen Saver"
    
    [HKEY_CLASSES_ROOT\scrfile\shell]
    
    [HKEY_CLASSES_ROOT\scrfile\shell\config]
    @="C&onfigure"
    
    [HKEY_CLASSES_ROOT\scrfile\shell\config\command]
    @="\"%1\""
    
    [HKEY_CLASSES_ROOT\scrfile\shell\install]
    @="&Install"
    
    [HKEY_CLASSES_ROOT\scrfile\shell\install\command]
    @="rundll32.exe desk.cpl,InstallScreenSaver %l"
    
    [HKEY_CLASSES_ROOT\scrfile\shell\open]
    @="T&est"
    
    [HKEY_CLASSES_ROOT\scrfile\shell\open\command]
    @="\"%1\" /S"
    
    [HKEY_CLASSES_ROOT\scrfile\shellex]
    
    [HKEY_CLASSES_ROOT\scrfile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop.
    Double-click fixme.reg

  • We Need to Clean Up Our Mess
    • Uninstall ComboFix
      Remove Combofix now that we're done with it.
      • Click on your Start Menu, then Run....
      • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
        Posted Image
      • When shown the disclaimer, Select "2"
      Uninstalling ComboFix will do the following:
      • Delete ComboFix and its components from your computer.
      • Delete other tools commonly used during the malware removal process.
      • Resets clock settings to standard format.
      • Hides file extensions and hidden/system files.
      • Clears System Restore cache and creates new restore point.
    • Please also delete the RSIT.exe located at your desktop. And delete C:\RSIT folder also.
    • Please also delete the sdfix.exe located at your desktop. And delete C:\SDFIX folder if it still exist.
    • Please also delete the Otmoveit3.exe located at your desktop. And delete C:\_OTMoveIt folder if it still exist.
  • Please download ATF Cleaner by Atribune & save it to your desktop.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

  • Run ESET Online Scan

    Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.
    • Check (tick) this box: YES, I accept the Terms of Use.
    • Click on the Start button next to it.
    • When prompted to run ActiveX. click Yes.
    • You will be asked to install an ActiveX. Click Install.
    • Once installed, the scanner will be initialized.
    • After the scanner is initialized, click Start.
    • Uncheck (untick) Remove found threats box.
    • Check (tick) Scan unwanted applications.
    • Click on Scan.
    • It will start scanning. Please be patient.
    • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
In your reply, please post the result of ESET scan.

Thanks.

Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users