Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "TROJ_EMBEDDED" trojan, which keeps spawning random .exe files


  • This topic is locked This topic is locked
15 replies to this topic

#1 Dissection

Dissection

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 09 November 2009 - 09:13 AM

Hello guys and gals,

I run a computer laboratory, and we've had an issue with viruses being copied through USB flash drives. I had disabled the autorun feature, and tried purging of the virus/malware through MalewareBytes, but it proved no success.

This trojan (which is detected as "TROJ_EMBEDDED" or "WORM_AUTORUN" by our TrendMicro antivirus) creates random *.exe files in every shared folder on the computer, and another file named "khv" (no extension), which weighs 0 bytes. These exe files are being created every day, each time with a random name and icon. I have included a picture of my Anti-Virus log which shows them.


This is DDS.txt, and I'm including Attach.txt, ark.txt and the log of my TrendMicro antivirus:

DDS (Ver_09-10-26.01) - NTFSx86
Run by MarinaK at 15:55:10.87 on Mon 11/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2047.1415 [GMT 2:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {3C769676-DE2F-41CA-A381-4D8C206397F9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\MA3CD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\nmindexstoresvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MarinaK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tau.ac.il/
uInternet Settings,ProxyServer = 169.229.50.14:3127
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NWTRAY] NWTRAY.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LaunchList] "c:\program files\pinnacle\studio 8\LaunchList.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: &ייצוא אל Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://supportapj.dell.com/systemprofiler/SysPro.CAB
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://webgames.d.tmsrv.com/c=bfaa987acdc1e31058af43c203af8b59/aff=t_25oa_ukca_wg/p/release/playfirst/wg_dairydash/dairydash/DairyDashWeb.1.0.0.12.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://ca.com/us/securityadvisor/pestscan/pestscan.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188741747743
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182276047272
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: {b4870b70-f390-11d2-9fb9-f4ed725ea20d} - i:\public\NalExpEx.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marinak\applic~1\mozilla\firefox\profiles\jvb6dio0.default\
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [2008-4-28 7168]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2007-6-12 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-6-12 36368]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 652552]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-13 33752]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys --> c:\windows\system32\drivers\jl2005c.sys [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\video3d.sys --> c:\windows\system32\drivers\Video3D.sys [?]

=============== Created Last 30 ================

2009-10-29 17:16:03 0 d-----w- c:\docume~1\marinak\applic~1\Malwarebytes
2009-10-29 17:15:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 17:15:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 17:15:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-29 17:15:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 13:42:26 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-11 05:40:08 0 d-----w- c:\docume~1\marinak\applic~1\Office Genuine Advantage

==================== Find3M ====================

2009-09-19 19:24:44 25440 ----a-w- c:\windows\fonts\BN Traktor.TTF
2009-09-19 19:24:44 24152 ----a-w- c:\windows\fonts\BN Miri Black.ttf
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 21:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-06-30 08:18:43 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009063020090701\index.dat

============= FINISH: 15:55:35.76 ===============


I'm hopeless, any help would be greatly appreciated!

Attached Files


Edited by Dissection, 09 November 2009 - 09:15 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:59 AM

Posted 15 November 2009 - 06:38 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 16 November 2009 - 09:03 AM

Hello there, thanks for the reply!
Yes, I still suffer from the same virus - I have these .exe files randomly generated with random names. They are only generated in shared folders - I tested it by creating a folder named "Test" and sharing it, the next day it contained a random lettered .exe file, and a file named "khv" with no extension. My TrendMicro AV deletes those exe files automatically.

The only thing I've done since posting this, was run an online ESET scan, but it didn't fix it. It did find a virus though, something inside Java folder (I foolishly forgot to save the log file).

In any case, here's the updated DDS, as well as Attach.zip...



DDS (Ver_09-10-26.01) - NTFSx86
Run by MarinaK at 15:53:14.79 on Mon 11/16/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.2047.1340 [GMT 2:00]

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {3C769676-DE2F-41CA-A381-4D8C206397F9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\ER39FB.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\nmindexstoresvr.exe
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MarinaK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tau.ac.il/
uInternet Settings,ProxyServer = 169.229.50.14:3127
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [DriverCure] c:\program files\paretologic\drivercure\DriverCure.exe -scan
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NWTRAY] NWTRAY.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LaunchList] "c:\program files\pinnacle\studio 8\LaunchList.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: &ייצוא אל Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: &יצא ל- Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://supportapj.dell.com/systemprofiler/SysPro.CAB
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://webgames.d.tmsrv.com/c=bfaa987acdc1e31058af43c203af8b59/aff=t_25oa_ukca_wg/p/release/playfirst/wg_dairydash/dairydash/DairyDashWeb.1.0.0.12.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://ca.com/us/securityadvisor/pestscan/pestscan.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188741747743
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182276047272
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: {b4870b70-f390-11d2-9fb9-f4ed725ea20d} - i:\public\NalExpEx.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marinak\applic~1\mozilla\firefox\profiles\jvb6dio0.default\
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 SpPortEx;Samsung Port Exclusion;c:\windows\system32\drivers\SpPortEx.sys [2008-4-28 7168]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\tmxpflt.sys [2007-6-12 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2007-6-12 36368]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2007-4-27 652552]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-13 33752]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys --> c:\windows\system32\drivers\jl2005c.sys [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\video3d.sys --> c:\windows\system32\drivers\Video3D.sys [?]

=============== Created Last 30 ================

2009-11-11 15:58:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-11 14:03:02 0 d-----w- c:\program files\ESET
2009-10-29 17:16:03 0 d-----w- c:\docume~1\marinak\applic~1\Malwarebytes
2009-10-29 17:15:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 17:15:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 17:15:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-29 17:15:56 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-11-11 15:58:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 18:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-09-19 19:24:44 25440 ----a-w- c:\windows\fonts\BN Traktor.TTF
2009-09-19 19:24:44 24152 ----a-w- c:\windows\fonts\BN Miri Black.ttf
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-06-30 08:18:43 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009063020090701\index.dat

============= FINISH: 15:53:45.26 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 19 November 2009 - 03:10 AM

Hi Dissection,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Remember to plug in the flash drive to disinfect as well.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Step2

Please download RKill by Grinler and save it to your desktop.

  • Disable your anti-malware softwares before proceeding.
  • Double click on Rkill and to run it.
  • A Dos window will appear and close. That is normal.
  • If the tool does not run, tell me about it in your next reply.
Step3

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.



Step4
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

In your next reply, please post back:


1.ComboFix log
2.RSIT log.txt and info.txtThanks

#5 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 23 November 2009 - 08:51 AM

Hello there, thanks for your support. I'm sorry for my late reply. I didn't have access to that computer during the weekend.

I'm uploading the 3 log files you've requested.

Attached Files


Edited by Dissection, 23 November 2009 - 08:52 AM.


#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 23 November 2009 - 10:25 AM

Hi Dissection,



It seemed that the combofix had been run from D partition. Were there any problems to run it from primary partition C?


Step1

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step2


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3


Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.MBAM log
2.Kas Online Scan Report
3.Fresh HijackThis log

Tell me how your pc is running now.

#7 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 25 November 2009 - 08:35 AM

Hi there, I didn't know I needed to run ComboFix from the primary partition ©.

Anyway, I did what you've asked.
1) MBAM didn't find anything.
2) After deleting files with ATF Cleaner, Kaspersky didn't find anything as well.

In the last 2 days, this computer didn't create any exe files like it used to, maybe the problem has been solved?

Edit: I was wrong, a new trojan exe file has just been created on this computer... (pic included)

I'm including MBAM and HijackThis log.

Thanks again for all your help :(

Attached Files


Edited by Dissection, 25 November 2009 - 09:37 AM.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 25 November 2009 - 11:44 AM

Hi Dissection,



You need to uninstall AutoCAD2010. It seemed to be infected. You can reinstall it after you are clean. and delete the folder in D:\AutoCAD2010.

Please go to this thread . Scroll down and locate Tweak UI in the right pane. Unzip and install it.

Start Tweak UI to run it, Expand My Computer in the left pane, click on the AutoPlay and select Drives, Uncheck all the drive you have and press Apply and OK the button.

After that, please plug into your pen drive, usb or any movable storage devices you have to disinfect with Flash_Disinfector one more time----->Don't skip this step.

Now, delete the current copy of ComboFix and download it again. Remember saving it on your desktop in partition C and run it as instructed in my previous post. We need to see the OTL report. Please do the following:



Step1
  • Please download OTL and save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox. Underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check. Then click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Copy and paste both logs back here in your next reply.

In your next reply, please post back:

1.ComboFix log
2.OTListIt.txt and Extra.txt Thanks.

#9 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 25 November 2009 - 12:39 PM

Hi there,

This computer does not have any AutoCAD installed (but it used to), although the other computers on its network do have it (we have purchased a legitimate license, and a technician from Autodesk came to install it... I don't think it's infected).

Edit: The Folder D:\AutoCAD2010 was a shared folder (just like the folder D:\Test), that's why the exe files have spawned there as well.... They spawn only in shared folders.

Also, TweakUI shows that already all drives have autorun disabled.

I'm including the new log files you have requested.

Attached Files


Edited by Dissection, 25 November 2009 - 01:24 PM.


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 25 November 2009 - 01:42 PM

Hi Dissection,



although the other computers on its network do have it

Is this pc a working computer? In General, we do not help in cleaning business or corporate computers. There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware. There may also be legal issues regarding any loss of business data that we do not wish to deal with. If you ask for help and, unknown to us, it involves a business computer, you need to understand that any damages resulting from our advice are YOUR RESPONSIBILITY. I also notice you have not installed Recovery Console as instructed in my previous post. just because it's a working computer, right? :( If that's not the case, let's proceed the following:

Did you delete the following folder? It seemed this folder was an infected source. You may review all the attached pictures. The remaining Autorun worms were in system restore volume. we can deal with that later.

D:\AutoCAD2010

Step1

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Step2

Please go to Here and Download System Repair Engine by smallfrogs

  • Extract it to Desktop & double click SREng.exe to run it
  • Click System Repair in the left pane.
  • Click on Hosts File tap
  • Press reset button, and click Yes to the prompt window.
  • Click save button in the right bottom corner. Exit the program and restart it
  • Select 'Smart Scan' & tick "Verify the digital signatures of process modules"
  • Click on the Scan button. When finished, click on the Save Reports button & save the log to Desktop
  • You can refer to this thread for your reference.

In your next reply, please post back:


1.DrWeb.csv log
2.SREng log

Tell me how you pc is running now.

#11 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 30 November 2009 - 08:49 AM

Hello there,

If you ask for help and, unknown to us, it involves a business computer, you need to understand that any damages resulting from our advice are YOUR RESPONSIBILITY.


Ofcourse I realize that :(

I also notice you have not installed Recovery Console as instructed in my previous post. just because it's a working computer, right?


Yeah, but if it comes down to running a Windows Repair, I prefer a good old format.

Did you delete the following folder? It seemed this folder was an infected source. You may review all the attached pictures. The remaining Autorun worms were in system restore volume. we can deal with that later.

D:\AutoCAD2010


Please read my edited comment on my previous post. That specific folder (D:\AutoCAD2010) was shared and that virus seems to create EXE files in shared folders. After that I created a new folder named "Test", shared it, and the EXE files were created there as well.

In any case, I did what you've asked.
Dr.Web didn't find a virus on its quick scan, but when I ran the full scan it found something in Program Files\AMT (log included)

Thanks a lot for all your support, I'm sorry I'm not able to reply during weekends.



Both logs are attached in the next message...

Attached Files



#12 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 30 November 2009 - 08:51 AM

Here are the logs.. (The log file was too large to upload)

SREngLOG.log

2009-11-30,15:38:42

System Repair Engineer 2.8.1.1279
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 3 (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been selected:
	All Boot Items (Including Registry, Startup Folders, Services and so on)
	Browser Add-ons
	Running Processes (Including process model information)
	File Associations
	Winsock Provider
	Autorun.Inf
	HOSTS File
	Process Privileges Scan
	Scheduled Tasks
	Windows Security Update Check
	API HOOK
	Hidden Process


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
	<swg><"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe">  [(Verified)Google Inc]
	<MSMSGS><"C:\Program Files\Messenger\msmsgs.exe" /background>  [(Verified)Microsoft Windows Component Publisher]
	<BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}><"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe">  [(Verified)Nero AG]
	<ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
	<RTHDCPL><RTHDCPL.EXE>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
	<NWTRAY><NWTRAY.EXE>  [Novell, Inc.]
	<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
	<nwiz><nwiz.exe /install>  [NVIDIA Corporation]
	<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]
	<Windows Defender><"C:\Program Files\Windows Defender\MSASCui.exe" -hide>  [(Verified)Microsoft Corporation]
	<QuickTime Task><"C:\Program Files\QuickTime\qttask.exe" -atboottime>  [Apple Computer, Inc.]
	<OfficeScanNT Monitor><"C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow>  [(Verified)"Trend Micro, Inc."]
	<NeroFilterCheck><C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe>  [(Verified)Nero AG]
	<Adobe Reader Speed Launcher><"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe">  [(Verified)"Adobe Systems, Incorporated"]
	<Malwarebytes Anti-Malware (reboot)><"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript>  [(Verified)Malwarebytes Corporation]
	<SunJavaUpdateSched><"C:\Program Files\Java\jre6\bin\jusched.exe">  [(Verified)"Sun Microsystems, Inc."]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
	<shell><Explorer.exe>  [(Verified)Microsoft Windows Component Publisher]
	<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows Component Publisher]
	<GinaDLL><NWGINA.DLL>  [Novell, Inc.]
	<UIHost><logonui.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
	<{AEB6717E-7E19-11d0-97EE-00C04FD91972}><shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}><C:\PROGRA~1\WINDOW~4\MpShHook.dll>  [(Verified)Microsoft Corporation]
	<{B4870B70-F390-11d2-9FB9-F4ED725EA20D}><I:\PUBLIC\NalExpEx.dll>  [Novell, Inc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
	<PostBootReminder><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<CDBurn><%SystemRoot%\system32\SHELL32.dll>  [(Verified)Microsoft Windows Component Publisher]
	<WebCheck><%Systemroot%\system32\webcheck.dll>  [(Verified)Microsoft Windows Component Publisher]
	<SysTray><%systemroot%\system32\stobject.dll>  [(Verified)Microsoft Windows Component Publisher]
	<WPDShServiceObj><C:\WINDOWS\system32\WPDShServiceObj.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
	<WinlogonNotify: crypt32chain><crypt32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
	<WinlogonNotify: cryptnet><cryptnet.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
	<WinlogonNotify: cscdll><cscdll.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
	<WinlogonNotify: dimsntfy><%SystemRoot%\System32\dimsntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
	<WinlogonNotify: ScCertProp><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
	<WinlogonNotify: Schedule><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
	<WinlogonNotify: sclgntfy><sclgntfy.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
	<WinlogonNotify: SensLogn><WlNotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
	<WinlogonNotify: termsrv><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
	<WinlogonNotify: WgaLogon><WgaLogon.dll>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
	<WinlogonNotify: wlballoon><wlnotify.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
	<{438755C2-A8BA-11D1-B96B-00A0C90312E1}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
	<{8C7461EF-2B13-11d2-BE35-3078302C2030}><%SystemRoot%\system32\browseui.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
	<IE7 Uninstall Stub><C:\WINDOWS\system32\ieudinit.exe>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
	<Microsoft Windows Media Player><C:\WINDOWS\inf\unregmp2.exe /ShowWMP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
	<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
	<Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
	<Browser Customizations><RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
	<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>  [(Verified)Microsoft Windows Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
	<Microsoft Windows Media Player><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
	<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [File is missing]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
	<Windows Desktop Update><regsvr32.exe /s /n /i:U shell32.dll>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
	<Internet Explorer><C:\WINDOWS\system32\ie4uinit.exe -BaseSettings>  [(Verified)Microsoft Windows Component Publisher]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
	<N/A><C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install>  [(Verified)Microsoft Corporation]

==================================
Startup Folders
[Adobe Gamma Loader]
  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk --> C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [Adobe Systems, Inc.]><N>

==================================
Services
[ATK Keyboard Service / ATKKeyboardService][Running/Auto Start]
  <C:\WINDOWS\ATKKBService.exe><ASUSTeK COMPUTER INC.>
[Client Update Service for Novell / cusrvc][Stopped/Manual Start]
  <C:\WINDOWS\system32\cusrvc.exe><Novell, Inc.>
[getPlus(R) Helper / getPlus(R) Helper][Stopped/Manual Start]
  <C:\Program Files\NOS\bin\getPlus_HelperSvc.exe><NOS Microsystems Ltd.>
[Google Software Updater / gusvc][Stopped/Manual Start]
  <"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"><Google>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
  <"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"><Macrovision Corporation>
[Java Quick Starter / JavaQuickStarterService][Running/Auto Start]
  <"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"><Sun Microsystems, Inc.>
[LightScribeService Direct Disc Labeling Service / LightScribeService][Running/Auto Start]
  <"C:\Program Files\Common Files\LightScribe\LSSrvc.exe"><Hewlett-Packard Company>
[NBService / NBService][Stopped/Manual Start]
  <C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe><Nero AG>
[NMIndexingService / NMIndexingService][Running/Manual Start]
  <"C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"><Nero AG>
[OfficeScanNT RealTime Scan / ntrtscan][Running/Auto Start]
  <"C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe"><Trend Micro Inc.>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINDOWS\system32\nvsvc32.exe><NVIDIA Corporation>
[PLFlash DeviceIoControl Service / PLFlash DeviceIoControl Service][Running/Auto Start]
  <C:\WINDOWS\system32\IoctlSvc.exe><Prolific Technology Inc.>
[PnkBstrA / PnkBstrA][Running/Auto Start]
  <C:\WINDOWS\system32\PnkBstrA.exe><N/A>
[OfficeScan NT Listener / tmlisten][Running/Auto Start]
  <"C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe"><Trend Micro Inc.>
[OfficeScan NT Proxy Service / TmProxy][Running/Manual Start]
  <"C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe"><Trend Micro Inc.>
[Ulead Burning Helper / UleadBurningHelper][Running/Auto Start]
  <C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe><Ulead Systems, Inc.>
[Windows Live Setup Service / WLSetupSvc][Stopped/Manual Start]
  <"C:\Program Files\Windows Live\installer\WLSetupSvc.exe"><Microsoft Corporation>

==================================
Drivers
[Enhanced Display Driver Helper Service / asuskbnt][Running/System Start]
  <system32\drivers\atkkbnt.sys><ASUSTeK COMPUTER INC.>
[catchme / catchme][Stopped/Manual Start]
  <\??\C:\DOCUME~1\MarinaK\LOCALS~1\Temp\catchme.sys><N/A>
[Intel(R) PRO/1000 PCI Express Network Connection Driver / e1express][Running/Manual Start]
  <system32\DRIVERS\e1e5132.sys><Intel Corporation>
[EIO / EIO][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\EIO.sys><ASUSTeK Computer Inc.>
[Microsoft UAA Bus Driver for High Definition Audio / HDAudBus][Running/Manual Start]
  <system32\DRIVERS\HDAudBus.sys><Windows (R) Server 2003 DDK provider>
[Service for Realtek HD Audio (WDM) / IntcAzAudAddService][Running/Manual Start]
  <system32\drivers\RtkHDAud.sys><Realtek Semiconductor Corp.>
[Dual Mode Camera / JL2005C][Stopped/Manual Start]
  <System32\Drivers\jl2005c.sys><N/A>
[ATK0110 ACPI UTILITY / MTsensor][Running/Manual Start]
  <system32\DRIVERS\ASACPI.sys><>
[Novell Client for Windows / NetwareWorkstation][Running/Auto Start]
  <system32\NetWare\nwfs.sys><Novell, Inc.>
[Novell InterService Communication Driver / NICM][Running/Boot Start]
  <\SystemRoot\system32\drivers\nicm.sys><Novell, Inc.>
[nv / nv][Running/Manual Start]
  <system32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Novell DHCP Inform Client / NWDHCP][Running/Auto Start]
  <system32\NetWare\nwdhcp.sys><Novell, Inc.>
[Novell DNS Name Space Service Provider / NWDNS][Running/Manual Start]
  <system32\NetWare\nwdns.sys><Novell, Inc.>
[Novell UNC Path Filter / NWFILTER][Running/Boot Start]
  <\SystemRoot\system32\NetWare\nwfilter.sys><Novell, Inc.>
[Novell Host File Name Space Service Provider / NWHOST][Stopped/Manual Start]
  <system32\NetWare\NWHOST.sys><N/A>
[Novell SAP Name Space Provider / NWSAP][Stopped/Manual Start]
  <system32\NetWare\NWSAP.sys><N/A>
[Novell NetWare IPX/SPX Transport Interface / NWSIPX32][Stopped/Auto Start]
  <system32\NetWare\nwsipx32.sys><Novell, Inc.>
[Novell SLP Name Space Service Provider / NWSLP][Running/Manual Start]
  <system32\NetWare\nwslp.sys><Novell, Inc.>
[Novell Simple Naming Services / NWSNS][Running/Manual Start]
  <system32\NetWare\NWSNS.sys><N/A>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Novell NetWare Resource Manager / RESMGR][Running/Auto Start]
  <system32\NetWare\resmgr.sys><Novell, Inc.>
[Secdrv / Secdrv][Stopped/Manual Start]
  <system32\DRIVERS\secdrv.sys><Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.>
[Samsung Port Exclusion / SpPortEx][Running/Auto Start]
  <System32\Drivers\SpPortEx.sys><Samsung Electronics Co.>
[Novell Service Location / SRVLOC][Running/Auto Start]
  <system32\NetWare\srvloc.sys><Novell, Inc.>
[tmcomm / tmcomm][Running/Auto Start]
  <\??\C:\WINDOWS\system32\drivers\tmcomm.sys><Trend Micro Inc.>
[Trend Micro Filter / TmFilter][Running/Auto Start]
  <\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys><Trend Micro Inc.>
[Trend Micro PreFilter / TmPreFilter][Running/Auto Start]
  <\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys><Trend Micro Inc.>
[Trend Micro TDI Driver / tmtdi][Running/System Start]
  <system32\DRIVERS\tmtdi.sys><Trend Micro Inc.>
[ASUS Video3D Service / Video3D][Stopped/Manual Start]
  <System32\Drivers\Video3D.sys><N/A>
[Trend Micro VSAPI NT / VSApiNt][Running/Auto Start]
  <\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys><Trend Micro Inc.>

==================================
Browser Add-ons
[Adobe PDF Link Helper]
  {18DF081C-E8AD-4283-A596-FA578C2EBDC3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll, (Signed) Adobe Systems Incorporated>
[]
  {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} <, >
[Google Toolbar Helper]
  {AA58ED58-01DD-4d91-8333-CF10577473F7} <C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll, (Signed) Google Inc.>
[Google Toolbar Notifier BHO]
  {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll, (Signed) Google Inc.>
[Google Dictionary Compression sdch]
  {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} <C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll, (Signed) Google Inc.>
[Java(tm) Plug-In 2 SSV Helper]
  {DBC80044-A445-435b-BC74-9C25C1C588A9} <C:\Program Files\Java\jre6\bin\jp2ssv.dll, (Signed) Sun Microsystems, Inc.>
[JQSIEStartDetectorImpl Class]
  {E7E6F031-17CE-4C07-BC86-EABFE594F69C} <C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll, Sun Microsystems, Inc.>
[&חקור]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL, (Signed) Microsoft Corporation>
[]
  {e2e2dd38-d088-4134-82b7-f2ba38496583} <%windir%\Network Diagnostic\xpnetdiag.exe, (Signed) N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, (Signed) Microsoft Corporation>
[Google Toolbar]
  {2318C2B1-4965-11d4-9B18-009027A5CD4F} <C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll, (Signed) Google Inc.>
[SysProWmi Class]
  {01A88BB1-1174-41EC-ACCB-963509EAE56B} <C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx, Dell Computer Corp.>
[CPlayFirstDairyDashWControl Object]
  {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} <C:\WINDOWS\Downloaded Program Files\DairyDashWeb.1.0.0.12.dll, (Signed) PlayFirst, Inc.>
[Office Genuine Advantage Validation Tool]
  {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} <C:\WINDOWS\system32\OGACheckControl.dll, (Signed) >
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, (Signed) Microsoft Corporation>
[PSFormX Control]
  {56393399-041A-4650-94C7-13DFCB1F4665} <C:\WINDOWS\DOWNLO~1\PESTSC~1.OCX, Visicom Media>
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, (Signed) Microsoft Corporation>
[MUWebControl Class]
  {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, (Signed) Microsoft Corporation>
[OnlineScanner Control]
  {7530BFB8-7293-4D34-9923-61A11451AFC5} <C:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX, (Signed) Eset>
[WScanCtl Class]
  {7B297BFD-85E4-4092-B2AF-16A91B2EA103} <C:\WINDOWS\Downloaded Program Files\webscan.dll, CA>
[Java Plug-in 1.6.0_17]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[]
  {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} <, >
[MSN Games - Installer]
  {B8BE5E93-A60C-4D26-A2DC-220313175592} <C:\WINDOWS\Downloaded Program Files\ZIntro.ocx, (Signed) Microsoft Corporation>
[Java Plug-in 1.6.0_17]
  {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[Java Plug-in 1.6.0_17]
  {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre6\bin\npjpi160_17.dll, (Signed) Sun Microsystems, Inc.>
[get_atlcom Class]
  {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} <C:\WINDOWS\Downloaded Program Files\gp.ocx, (Signed) NOS Microsystems Ltd.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash10a.ocx, (Signed) Adobe Systems, Inc.>
[Performance Viewer Activex Control]
  {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} <C:\WINDOWS\Downloaded Program Files\RACtrl.dll, (Signed) >
[Microsoft Word Application]
  {000209FF-0000-0000-C000-000000000046} <, >
[Microsoft Outlook 8.0 Object Library]
  {0006F033-0000-0000-C000-000000000046} <, >
[Microsoft Office Outlook]
  {0006F03A-0000-0000-C000-000000000046} <, >
[Microsoft Works Imaging Server]
  {00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6} <C:\Program Files\Microsoft Works\wkimgsrv.dll, (Signed) Microsoft® Corporation>
[Google Script Object]
  {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} <C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll, (Signed) Google Inc.>
[SysProWmi Class]
  {01A88BB1-1174-41EC-ACCB-963509EAE56B} <C:\WINDOWS\system32\Dell\SystemProfiler\SysPro.ocx, Dell Computer Corp.>
[QuickTime Object]
  {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} <C:\Program Files\QuickTime\QTPlugin.ocx, Apple Computer, Inc.>
[Outlook Today's Data-binding control]
  {0468C085-CA5B-11D0-AF08-00609797F0E0} <C:\PROGRA~1\MICROS~2\Office12\OUTLCTL.DLL, (Signed) >
[ActiveMovieControl Object]
  {05589FA1-C356-11CE-BF01-00AA0055595A} <C:\WINDOWS\system32\wmpdxm.dll, (Signed) Microsoft Corporation>
[CPlayFirstDairyDashWControl Object]
  {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} <C:\WINDOWS\Downloaded Program Files\DairyDashWeb.1.0.0.12.dll, (Signed) PlayFirst, Inc.>
[Office Genuine Advantage Validation Tool]
  {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} <C:\WINDOWS\system32\OGACheckControl.dll, (Signed) >
[Adobe PDF Reader Link Helper]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll, (Signed) Adobe Systems Incorporated>
[Web Browser Applet Control]
  {08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\WINDOWS\system32\msjava.dll, Microsoft Corporation>
[Windows Script Host Network Object]
  {093FF999-1EA0-4079-9525-9614C3504B74} <C:\WINDOWS\system32\wshom.ocx, (Signed) Microsoft Corporation>
[PeerDraw Class]
  {10072CEC-8CC1-11D1-986E-00A0C955B42E} <%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll, (Signed) N/A>
[]
  {11260943-421B-11D0-8EAC-0000C07D88CF} <, >
[]
  {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} <, >
[]
  {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} <, >
[Windows Genuine Advantage Validation Tool]
  {17492023-C23A-453E-A040-C7C580BBF700} <C:\WINDOWS\system32\legitcheckcontrol.dll, (Signed) Microsoft Corporation>
[Adobe PDF Link Helper]
  {18DF081C-E8AD-4283-A596-FA578C2EBDC3} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll, (Signed) Adobe Systems Incorporated>
[InformationCardSigninHelper Class]
  {19916E01-B44E-4E31-94A4-4696DF46157B} <C:\WINDOWS\system32\icardie.dll, (Signed) Microsoft Corporation>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, (Signed) Microsoft Corporation>
[Google Toolbar]
  {2318C2B1-4965-11D4-9B18-009027A5CD4F} <C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll, (Signed) Google Inc.>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <C:\WINDOWS\system32\mshtml.dll, (Signed) Microsoft Corporation>
[XML DOM Document]
  {2933BF90-7B36-11D2-B20E-00C04F983E60} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XSL Template]
  {2933BF94-7B36-11D2-B20E-00C04F983E60} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, (Signed) Microsoft Corporation>
[]
  {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} <, >
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, (Signed) Microsoft Corporation>
[IETag Factory]
  {38481807-CA0E-42D2-BF39-B33AF135CC4D} <C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\IETAG.DLL, (Signed) Microsoft Corporation>
[]
  {3BB1D69B-A780-4BE1-876E-F3D488877135} <, >
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[Microsoft Terminal Services Client Control (redist)]
  {4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[Microsoft Terminal Services Client Control (redist)]
  {4EDCB26C-D24C-4e72-AF07-B576699AC0DE} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[HHCtrl Object]
  {52A2AAAE-085D-4187-97EA-8C30DB990436} <C:\WINDOWS\system32\hhctrl.ocx, (Signed) Microsoft Corporation>
[]
  {54B02808-B60E-44CD-A72D-9865117E4E62} <, >
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[Remote Access ActiveX Client]
  {556EEC63-31E2-47C3-BF29-DFF799D2FE04} <C:\WINDOWS\Downloaded Program Files\RACtrl.dll, (Signed) >
[PSFormX Control]
  {56393399-041A-4650-94C7-13DFCB1F4665} <C:\WINDOWS\DOWNLO~1\PESTSC~1.OCX, Visicom Media>
[isInstalled Class]
  {5852F5ED-8BF4-11D4-A245-0080C6F74284} <C:\Program Files\Java\jre6\bin\wsdetect.dll, Sun Microsystems, Inc.>
[]
  {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} <, >
[WUWebControl Class]
  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\system32\wuweb.dll, (Signed) Microsoft Corporation>
[]
  {6620E618-1AB9-4EB2-ACA4-CBBE9066DBE6} <, >
[DivXBrowserPlugin Object]
  {67DABFBF-D0AB-41FA-9C46-CC0F21721616} <C:\Program Files\DivX\DivX Web Player\npdivx32.dll, DivX,Inc.>
[]
  {68BFC611-B963-4E8C-B0FE-0DD4FB832796} <, >
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[MUWebControl Class]
  {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\system32\muweb.dll, (Signed) Microsoft Corporation>
[Microsoft Terminal Services Client Control (redist)]
  {7390f3d8-0439-4c05-91e3-cf5cb290c3d0} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[OnlineScanner Control]
  {7530BFB8-7293-4D34-9923-61A11451AFC5} <C:\PROGRA~1\ESET\ESETON~1\ONLINE~1.OCX, (Signed) Eset>
[Microsoft Terminal Services Client Control (redist)]
  {7584c670-2274-4efb-b00b-d6aaba6d3850} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[]
  {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <, >
[WScanCtl Class]
  {7B297BFD-85E4-4092-B2AF-16A91B2EA103} <C:\WINDOWS\Downloaded Program Files\webscan.dll, CA>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\ieframe.dll, (Signed) Microsoft Corporation>
[XML DOM Document 4.0]
  {88D969C0-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document 4.0]
  {88D969C1-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[XSL Template 4.0]
  {88D969C3-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[XML HTTP 4.0]
  {88D969C5-F192-11D4-A65F-0040963251E5} <c:\WINDOWS\system32\msxml4.dll, (Signed) Microsoft Corporation>
[XML DOM Document 5.0]
  {88D969E5-F192-11D4-A65F-0040963251E5} <C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document 5.0]
  {88D969E6-F192-11D4-A65F-0040963251E5} <C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll, (Signed) Microsoft Corporation>
[XML HTTP 5.0]
  {88D969EA-F192-11D4-A65F-0040963251E5} <C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll, (Signed) Microsoft Corporation>
[XML DOM Document 6.0]
  {88D96A05-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document 6.0]
  {88D96A06-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[XSL Template 6.0]
  {88D96A08-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[XML HTTP 6.0]
  {88D96A0A-F192-11D4-A65F-0040963251E5} <C:\WINDOWS\system32\msxml6.dll, (Signed) Microsoft Corporation>
[Java Plug-in 1.6.0_17]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre6\bin\jp2iexp.dll, (Signed) >
[]
  {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} <, >
[Microsoft Terminal Services Client Control (redist)]
  {9059f30f-4eb1-4bd2-9fdc-36f43a218f4a} <%systemroot%\system32\mstscax.dll, (Signed) N/A>
[]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <, >
[IETimeBehaviorFactory Class]
  {A4639D29-774E-11D3-A490-00C04F6843FB} <C:\PROGRA~1\COMMON~1\MICROS~1\MSORUN\MSORUN.DLL, (Signed) Microsoft Corporation>
[IEAnimBehaviorFactory Class]
  {A4639D2F-774E-11D3-A490-00C04F6843FB} <C:\PROGRA~1\COMMON~1\MICROS~1\MSORUN\MSORUN.DLL, (Signed) Microsoft Corporation>
[RMGetLicense Class]
  {A9FC132B-096D-460B-B7D5-1DB0FAE0C062} <C:\WINDOWS\system32\msnetobj.dll, (Signed) Microsoft Corporation>
[Google Toolbar Helper]
  {AA58ED58-01DD-4D91-8333-CF10577473F7} <C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll, (Signed) Google Inc.>
[Google Toolbar Notifier BHO]
  {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} <C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll, (Signed) Google Inc.>
[]
  {B56A7D7D-6927-48C8-A975-17DF180C71AC} <, >
[Messenger Object]
  {B69003B3-C55E-4B48-836C-BC5946FC3B28} <C:\Program Files\Messenger\msgsc.dll, (Signed) Microsoft Corporation>
[MSN Games - Installer]
  {B8BE5E93-A60C-4D26-A2DC-220313175592} <C:\WINDOWS\Downloaded Program Files\ZIntro.ocx, (Signed) Microsoft Corporation>
[Google Dictionary Compression sdch]
  {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} <C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll, (Signed) Google Inc.>
[Microsoft Office 12 Authorization Control]
  {C9712B19-838B-45A5-ABF2-9A315DDDED50} <C:\PROGRA~1\MICROS~2\Office12\AUTHZAX.DLL, (Signed) Microsoft Corporation>
[Adobe PDF Reader]
  {CA8A9780-280D-11CF-A24D-444553540000} <C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll, (Signed) Adobe Systems, Inc.>
[AUDIO__MP3 Moniker Class]
  {CD3AFA76-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[AUDIO__WAV Moniker Class]
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[AUDIO__X_MS_WMA Moniker Class]
  {CD3AFA84-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[VIDEO__AVI Moniker Class]
  {CD3AFA88-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[VIDEO__X_MS_ASF Moniker Class]
  {CD3AFA8F-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, (Signed) Microsoft Corporation>
[get_atlcom Class]
  {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} <C:\WINDOWS\Downloaded Program Files\gp.ocx, (Signed) NOS Microsystems Ltd.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash10a.ocx, (Signed) Adobe Systems, Inc.>
[]
  {D27CDB6E-AE6D-11CF-96B8-464553540000} <, >
[Microsoft Agent Control 2.0]
  {D45FD31B-5C6E-11D1-9EC1-00C04FD7081F} <C:\WINDOWS\msagent\agentctl.dll, (Signed) Microsoft Corporation>
[Java(tm) Plug-In 2 SSV Helper]
  {DBC80044-A445-435B-BC74-9C25C1C588A9} <C:\Program Files\Java\jre6\bin\jp2ssv.dll, (Signed) Sun Microsystems, Inc.>
[QuickTimeCheck Class]
  {DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} <C:\WINDOWS\system32\QuickTimeCheck.OCX, Apple Computer, Inc.>
[NameCtrl Class]
  {E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05} <C:\Program Files\Microsoft Office\Office12\NAME.DLL, (Signed) Microsoft Corporation>
[]
  {E2E2DD38-D088-4134-82B7-F2BA38496583} <, >
[WebViewFolderIcon Class]
  {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} <C:\WINDOWS\system32\webvw.dll, (Signed) Microsoft Corporation>
[JQSIEStartDetectorImpl Class]
  {E7E6F031-17CE-4C07-BC86-EABFE594F69C} <C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll, Sun Microsystems, Inc.>
[]
  {ED2E7DE7-07DB-4941-A06D-F780B93BA730} <, >
[XML HTTP Request]
  {ED8C108E-4349-11D2-91A4-00C04F7969E8} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[Scripting.Dictionary]
  {EE09B103-97E0-11CF-978F-00A02463E06F} <C:\WINDOWS\system32\scrrun.dll, (Signed) Microsoft Corporation>
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document 3.0]
  {F5078F33-C551-11D3-89B9-0000F81FE221} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XML HTTP 3.0]
  {F5078F35-C551-11D3-89B9-0000F81FE221} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XSL Template 3.0]
  {F5078F36-C551-11D3-89B9-0000F81FE221} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XML DOM Document]
  {F6D90F11-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[Free Threaded XML DOM Document]
  {F6D90F12-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[XML HTTP]
  {F6D90F16-9C73-11D3-B32E-00C04F990BB4} <C:\WINDOWS\system32\msxml3.dll, (Signed) Microsoft Corporation>
[]
  {FB5F1910-F110-11D2-BB9E-00C04F795683} <, >
[Performance Viewer Activex Control]
  {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} <C:\WINDOWS\Downloaded Program Files\RACtrl.dll, (Signed) >
[&ייצוא אל Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000, N/A>
[&יצא ל- Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>

==================================
Running Processes
[PID: 628 / SYSTEM][\SystemRoot\System32\smss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 676 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 712 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
	[C:\WINDOWS\system32\NWGINA.DLL]  [Novell, Inc., v6.5.1 (20050110)]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWGINAR.DLL]  [Novell, Inc., v6.5.1 (20050110)]
	[C:\WINDOWS\system32\CALWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLXWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\NOVNPNT.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\MAPBASE.dll]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\NWSHLXNT.dll]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\MAPBASER.DLL]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\NOVNPNTR.DLL]  [Novell, Inc., 4.91.0.1]
[PID: 756 / SYSTEM][C:\WINDOWS\system32\services.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5755 (xpsp_sp3_gdr.090206-1234)]
[PID: 768 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2113)]
	[C:\WINDOWS\system32\nwv1_0.dll]  [Novell, Inc., v4.71 (000217)]
[PID: 984 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1048 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\netware\NWWS2NDS.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\netware\NWWS2SLP.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NWSRVLOC.dll]  [Novell, Inc., 4.91]
[PID: 1144 / SYSTEM][C:\Program Files\Windows Defender\MsMpEng.exe]  [Microsoft Corporation, 1.1.1593.0]
[PID: 1184 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
	[C:\WINDOWS\system32\netware\NWWS2NDS.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\System32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\System32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\System32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\System32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\netware\NWWS2SLP.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\System32\NWSRVLOC.dll]  [Novell, Inc., 4.91]
[PID: 1272 / NETWORK SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1308 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1368 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1416 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1672 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
	[C:\WINDOWS\system32\rc4mon.dll]  [RICOH CO.,Ltd., 3, 2, 0, 0]
	[C:\WINDOWS\system32\netware\NWWS2NDS.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\netware\NWWS2SLP.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NWSRVLOC.dll]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\nwspool.dll]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\CALWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLXWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWSPOOLR.DLL]  [Novell, Inc., 4.70]
	[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpzpm309.dll]  [HP, 2.236.2.0]
	[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpz2ku09.dll]  [HP, 2.236.2.0]
[PID: 1884 / LOCAL SERVICE][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 1916 / SYSTEM][C:\WINDOWS\ATKKBService.exe]  [ASUSTeK COMPUTER INC., 1, 0, 0, 0]
[PID: 1956 / SYSTEM][C:\Program Files\Java\jre6\bin\jqs.exe]  [Sun Microsystems, Inc., 6.0.170.4]
	[C:\Program Files\Java\jre6\bin\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
[PID: 1984 / SYSTEM][C:\Program Files\Common Files\LightScribe\LSSrvc.exe]  [Hewlett-Packard Company, 1.4.124.1]
	[C:\Program Files\Common Files\LightScribe\LSSProxy.dll]  [Hewlett-Packard Company, 1.4.124.1]
	[C:\Program Files\Common Files\LightScribe\LSLog.dll]  [Hewlett-Packard Company, 1.4.124.1]
[PID: 2020 / SYSTEM][C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe]  [Trend Micro Inc., 10.5.0.1112]
	[C:\Program Files\Trend Micro\OfficeScan Client\VSAPI32.dll]  [Trend Micro Inc., 8.700-1004]
	[C:\Program Files\Trend Micro\OfficeScan Client\FlowControl.dll]  [Trend Micro Inc., 8.0.0.3243]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcDog.dll]  [Trend Micro Inc., 10.5.0.1112]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\libCNTProdRes.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\TimeString.dll]  [Trend Micro Inc., 10.5.0.1086]
	[C:\Program Files\Trend Micro\OfficeScan Client\NTSvcRes.dll]  [Trend Micro Inc., 8.0.0.3243]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\tmbmcli.dll]  [Trend Micro Inc., 2.2.0.1018]
	[C:\Program Files\Trend Micro\OfficeScan Client\tmengdrv.dll]  [Trend Micro Inc., 2.2.0.1018]
	[C:\Program Files\Trend Micro\OfficeScan Client\ssapi32.dll]  [Trend Micro Inc., 6.2.0.3009]
[PID: 196 / SYSTEM][C:\WINDOWS\system32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.7184]
	[C:\WINDOWS\system32\NVRSHE.DLL]  [NVIDIA Corporation, 6.14.10.7184]
[PID: 208 / SYSTEM][C:\WINDOWS\system32\IoctlSvc.exe]  [Prolific Technology Inc., 1, 6, 0, 0]
[PID: 232 / SYSTEM][C:\WINDOWS\system32\PnkBstrA.exe]  [N/A, ]
[PID: 308 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2111)]
[PID: 484 / SYSTEM][C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe]  [Ulead Systems, Inc., 1, 0, 0, 3]
[PID: 600 / SYSTEM][C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe]  [Trend Micro Inc., 10.5.0.1087]
	[C:\Program Files\Trend Micro\OfficeScan Client\VSAPI32.dll]  [Trend Micro Inc., 8.700-1004]
	[C:\Program Files\Trend Micro\OfficeScan Client\FlowControl.dll]  [Trend Micro Inc., 8.0.0.3243]
	[C:\Program Files\Trend Micro\OfficeScan Client\libTmCAV.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\Pwd.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwCommon.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\ZLib.dll]  [Trend Micro Inc., 1.31.0.1708]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcDog.dll]  [Trend Micro Inc., 10.5.0.1112]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmListen.dll]  [Trend Micro Inc., 10.5.0.1086]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmListenShare.dll]  [Trend Micro Inc., 10.5.0.1086]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\libNetCtrl.dll]  [Trend Micro Inc., 10.5.0.1086]
	[C:\Program Files\Trend Micro\OfficeScan Client\TMSOCK.dll]  [Trend Micro Inc., 10.5.0.1086]
	[C:\Program Files\Trend Micro\OfficeScan Client\PccWFWMo.dll]  [Trend Micro Inc., 1.0.0.0]
	[C:\Program Files\Trend Micro\OfficeScan Client\loadhttp.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmPac.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\WINDOWS\system32\netware\NWWS2NDS.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\netware\NWWS2SLP.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NWSRVLOC.dll]  [Novell, Inc., 4.91]
	[C:\Program Files\Trend Micro\OfficeScan Client\NTSvcRes.dll]  [Trend Micro Inc., 8.0.0.3243]
	[C:\WINDOWS\system32\NOVNPNT.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\CALWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLXWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\MAPBASE.dll]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\NWSHLXNT.dll]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\MAPBASER.DLL]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\NOVNPNTR.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcTmProxy.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmpxCfg.dll]  [Trend Micro Inc., 5.3.0.1027]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.dll]  [Trend Micro Inc., 5.3.0.1027]
[PID: 1752 / LOCAL SERVICE][C:\WINDOWS\System32\alg.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-0852)]
[PID: 2464 / SYSTEM][C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe]  [Trend Micro Inc., 1.0.0.3084]
[PID: 2480 / SYSTEM][C:\WINDOWS\TEMP\FJ2B7A.EXE]  [Trend Micro Inc., 10.5.0.1112]
	[C:\Program Files\Trend Micro\OfficeScan Client\NTSvcRes.dll]  [Trend Micro Inc., 8.0.0.3243]
[PID: 3104 / MarinaK][C:\WINDOWS\explorer.exe]  [(Verified) Microsoft Corporation, 6.00.2900.5512 (xpsp.080413-2105)]
	[C:\WINDOWS\system32\msdmo.dll]  [, ]
	[C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll]  [Nero AG, 3, 0, 0, 6]
	[C:\Program Files\Common Files\Ahead\Lib\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 9.1.0.2009022700]
	[C:\WINDOWS\system32\NOVNPNT.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\CALWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\CLXWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\MAPBASE.dll]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\NWSHLXNT.dll]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\MAPBASER.DLL]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\NOVNPNTR.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpz2ku09.dll]  [HP, 2.236.2.0]
	[C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\hpzpm309.dll]  [HP, 2.236.2.0]
	[C:\Program Files\Common Files\Ahead\Lib\AdvrCntr2.dll]  [Nero AG, 10,1,7, 10900]
	[C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll]  [Malwarebytes Corporation, 1, 2, 0, 0]
	[C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll]  [Nero AG, 2, 10, 6, 4]
	[C:\Program Files\Nero\Nero 7\Nero BackItUp\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
	[C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll]  [Nero AG, 2, 10, 1, 1]
	[C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll]  [Autodesk, Inc., 1.1.0.278]
	[C:\WINDOWS\system32\nvcpl.dll]  [NVIDIA Corporation, 6.14.10.7184]
	[C:\WINDOWS\system32\NVRSHE.DLL]  [NVIDIA Corporation, 6.14.10.7184]
	[C:\WINDOWS\system32\nvshell.dll]  [NVIDIA Corporation, 6.14.10.10035]
[PID: 3352 / MarinaK][C:\WINDOWS\RTHDCPL.EXE]  [Realtek Semiconductor Corp., 2.0.2.6]
[PID: 3372 / MarinaK][C:\WINDOWS\system32\NWTRAY.EXE]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NOVNPNT.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\CALWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\CLXWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\MAPBASE.dll]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\NWSHLXNT.dll]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\MAPBASER.DLL]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\NOVNPNTR.DLL]  [Novell, Inc., 4.91.0.1]
[PID: 3540 / MarinaK][C:\WINDOWS\system32\RUNDLL32.EXE]  [Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
	[C:\WINDOWS\system32\NvMcTray.dll]  [NVIDIA Corporation, 6.14.10.7184]
	[C:\WINDOWS\system32\NVRSHE.DLL]  [NVIDIA Corporation, 6.14.10.7184]
[PID: 3592 / MarinaK][C:\Program Files\Windows Defender\MSASCui.exe]  [Microsoft Corporation, 1.1.1593.0]
[PID: 3608 / MarinaK][C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe]  [Trend Micro Inc., 8.0.0.3243]
	[C:\Program Files\Trend Micro\OfficeScan Client\VSAPI32.dll]  [Trend Micro Inc., 8.700-1004]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmPac.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\TimeString.dll]  [Trend Micro Inc., 10.5.0.1086]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPIPC.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInAPI.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\loadhttp.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\Pwd.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\FlowControl.dll]  [Trend Micro Inc., 8.0.0.3243]
	[C:\Program Files\Trend Micro\OfficeScan Client\ntmonres.dll]  [Trend Micro Inc., 8.0.0.3243]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInMain.dll]  [Trend Micro Inc., 10.0.0.1169]
	[C:\Program Files\Trend Micro\OfficeScan Client\OfcPlugInTray.dll]  [Trend Micro Inc., 10.0.0.1169]
[PID: 3720 / MarinaK][C:\Program Files\Java\jre6\bin\jusched.exe]  [Sun Microsystems, Inc., 6.0.170.4]
[PID: 3744 / MarinaK][C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe]  [Google Inc., 2, 0, 301, 1654]
	[C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\gtn.dll]  [Google Inc., 5, 4, 4525, 1752]
	[C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll]  [Google Inc., 5, 4, 4525, 1752]
[PID: 3776 / MarinaK][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.7.3001]
[PID: 3812 / MarinaK][C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Common Files\Ahead\Lib\AdvrCntr2.dll]  [Nero AG, 10,1,7, 10900]
	[C:\Program Files\Common Files\Ahead\Lib\NMIndexingServicePS.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvrPS.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMDataServices.dll]  [Nero AG, 2,0,17,0]
[PID: 3920 / MarinaK][C:\WINDOWS\system32\ctfmon.exe]  [(Verified) Microsoft Corporation, 5.1.2600.5512 (xpsp.080413-2105)]
[PID: 312 / SYSTEM][C:\Program Files\Trend Micro\OfficeScan Client\tmproxy.exe]  [Trend Micro Inc., 5.3.0.1027]
	[C:\PROGRA~1\TRENDM~1\OFFICE~1\TmpxHelp.dll]  [Trend Micro Inc., 5.3.0.1027]
	[C:\PROGRA~1\TRENDM~1\OFFICE~1\TmpxCfg.dll]  [Trend Micro Inc., 5.3.0.1027]
	[C:\PROGRA~1\TRENDM~1\OFFICE~1\tmtdi.dll]  [Trend Micro Inc., 5.3.0.1020]
	[C:\PROGRA~1\TRENDM~1\OFFICE~1\TmsmMail.dll]  [Trend Micro Inc., 5.3.0.1027]
	[C:\Program Files\Trend Micro\OfficeScan Client\TmMsg.dll]  [Trend Micro Inc., 3.0.0.1004]
	[C:\PROGRA~1\TRENDM~1\OFFICE~1\TmpeVS.dll]  [Trend Micro Inc., 5.3.0.1027]
	[C:\PROGRA~1\TRENDM~1\OFFICE~1\TmphPop3.dll]  [Trend Micro Inc., 5.3.0.1027]
[PID: 608 / SYSTEM][C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Common Files\Ahead\Lib\NMIndexingServicePS.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMLogCxx.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\log4cxx.dll]  [Nero AG, 1, 0, 0, 0]
	[C:\Program Files\Common Files\Ahead\Lib\NMDataServices.dll]  [Nero AG, 2,0,17,0]
[PID: 1788 / MarinaK][C:\Program Files\Common Files\Ahead\Lib\nmindexstoresvr.exe]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMSQLDB.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Common Files\Ahead\Lib\NMLogCxx.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\log4cxx.dll]  [Nero AG, 1, 0, 0, 0]
	[C:\Program Files\Common Files\Ahead\Lib\NMIndexingServicePS.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMCoFoundation.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMPluginBase.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMFullTextExtraction.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMSearchPluginSimilarImages.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMDataServices.dll]  [Nero AG, 2,0,17,0]
	[C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvrPS.dll]  [Nero AG, 2,0,17,0]
[PID: 1088 / MarinaK][C:\Program Files\Common Files\Adobe\Updater6\adobe_updater.exe]  [Adobe Systems Incorporated, 6, 2,0, 1474]
[PID: 3524 / MarinaK][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 7.00.6000.16915 (vista_gdr.090826-0339)]
	[C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll]  [Google Inc., 6, 1, 1518, 856]
	[C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
	[C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 9.1.0.2009022700]
	[C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll]  [Google Inc., 5, 4, 4525, 1752]
	[C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll]  [Google Inc., 1, 0, 610, 27482]
	[C:\Program Files\Java\jre6\bin\jp2ssv.dll]  [Sun Microsystems, Inc., 6.0.170.4]
	[C:\Program Files\Java\jre6\bin\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll]  [Sun Microsystems, Inc., 6.0.170.4]
[PID: 2928 / MarinaK][C:\Program Files\Mozilla Firefox\firefox.exe]  [Mozilla Corporation, 1.9.1.5]
	[C:\Program Files\Mozilla Firefox\xul.dll]  [Mozilla Foundation, 1.9.1.5]
	[C:\Program Files\Mozilla Firefox\sqlite3.dll]  [sqlite.org, 3.6.16]
	[C:\Program Files\Mozilla Firefox\MOZCRT19.dll]  [Mozilla Foundation, 8.00.0000]
	[C:\Program Files\Mozilla Firefox\js3250.dll]  [Netscape Communications Corporation, 4.0]
	[C:\Program Files\Mozilla Firefox\nspr4.dll]  [Mozilla Foundation, 4.8.2]
	[C:\Program Files\Mozilla Firefox\smime3.dll]  [Mozilla Foundation, 3.12.4.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nss3.dll]  [Mozilla Foundation, 3.12.4.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssutil3.dll]  [Mozilla Foundation, 3.12.4.5]
	[C:\Program Files\Mozilla Firefox\plc4.dll]  [Mozilla Foundation, 4.8.2]
	[C:\Program Files\Mozilla Firefox\plds4.dll]  [Mozilla Foundation, 4.8.2]
	[C:\Program Files\Mozilla Firefox\ssl3.dll]  [Mozilla Foundation, 3.12.4.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\xpcom.dll]  [Mozilla Foundation, 1.9.1.5]
	[C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll]  [Mozilla Foundation, 1.9.1.5]
	[C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll]  [Mozilla Foundation, 1.9.1.5]
	[C:\WINDOWS\system32\netware\NWWS2NDS.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NETWIN32.DLL]  [Novell, Inc., 5.5.10]
	[C:\WINDOWS\system32\CLNWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\LOCWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\NCPWIN32.dll]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\netware\NWWS2SLP.DLL]  [Novell, Inc., v4.90]
	[C:\WINDOWS\system32\NWSRVLOC.dll]  [Novell, Inc., 4.91]
	[C:\Program Files\Mozilla Firefox\softokn3.dll]  [Mozilla Foundation, 3.12.4.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssdbm3.dll]  [Mozilla Foundation, 3.12.4.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\freebl3.dll]  [Mozilla Foundation, 3.12.4.5 Basic ECC]
	[C:\Program Files\Mozilla Firefox\nssckbi.dll]  [Mozilla Foundation, 1.75]
	[C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll]  [Nero AG, 3, 0, 0, 6]
	[C:\Program Files\Common Files\Ahead\Lib\MFC71.DLL]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
	[C:\Program Files\Common Files\Ahead\Lib\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
	[C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll]  [Adobe Systems, Inc., 9.1.0.2009022700]
	[C:\WINDOWS\system32\NOVNPNT.DLL]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\CALWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\CLXWIN32.DLL]  [Novell, Inc., 6.0.1]
	[C:\WINDOWS\system32\MAPBASE.dll]  [Novell, Inc., 4.91.0.1]
	[C:\WINDOWS\system32\NWSHLXNT.dll]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\MAPBASER.DLL]  [Novell, Inc., 4.91]
	[C:\WINDOWS\system32\NLS\ENGLISH\NWSHLXNR.DLL]  [, ]
	[C:\WINDOWS\system32\NLS\ENGLISH\NOVNPNTR.DLL]  [Novell, Inc., 4.91.0.1]
[PID: 2372 / MarinaK][C:\Documents and Settings\MarinaK\Desktop\sreng2\SREngLdr.EXE]  [Smallfrogs Studio, 2.8.1.1279]
[PID: 4052 / MarinaK][C:\Documents and Settings\MarinaK\Desktop\sreng2\sreaed1e3dd.exe]  [Smallfrogs Studio, 2.8.1.1279]
	[C:\Documents and Settings\MarinaK\Desktop\sreng2\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  Error. ["%SYSTEMROOT%\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
Process Privileges Scan
Special Privileges Enabled: SeLoadDriverPrivilege [PID = 2372, C:\DOCUMENTS AND SETTINGS\MARINAK\DESKTOP\SRENG2\SRENGLDR.EXE]

==================================
Scheduled Tasks
[Enabled] MP Scheduled Scan.job
		C:\Program Files\Windows Defender\MpCmdRun.exe 

==================================
Windows Security Update Check
 Microsoft .NET Framework version 1.1 
KB940157,  Windows Search 4.0 for Windows XP (KB940157) 
KB926139,  Windows PowerShell 1.0 for Windows XP (KB926139) 
KB909520,  Microsoft Base Smart Card Cryptographic Service Provider Package: x86 (KB909520) 
KB963663,  Update for Microsoft Office Access 2007 Help (KB963663) 
KB963662,  Update for Microsoft Office InfoPath 2007 Help (KB963662) 
KB963673,  Update for the 2007 Microsoft Office System Help for Common Features (KB963673) 
KB963670,  Update for Microsoft Office OneNote 2007 Help (KB963670) 
KB963667,  Update for Microsoft Office Publisher 2007 Help (KB963667) 
KB963671,  Update for Microsoft Script Editor Help (KB963671) 
KB963675,  Update for Microsoft Office SharePoint Designer 2007 Help (KB963675) 
KB963678,  Update for Microsoft Office Excel 2007 Help (KB963678) 
KB963677,  Update for Microsoft Office Outlook 2007 Help (KB963677) 
KB963669,  Update for Microsoft Office PowerPoint 2007 Help (KB963669) 
KB963665,  Update for Microsoft Office Word 2007 Help (KB963665) 
KB963665,  Office Live add-in 1.4 
KB944036,  Internet Explorer 8 for Windows XP 
KB974331,  Microsoft Silverlight (KB974331) 
KB974331,  Windows Live Essentials 
KB971513,  Update for Windows XP (KB971513) 
KB974561,  Update for Microsoft Office Word 2007 (KB974561) 
KB931125,  Update for Root Certificates [November 2009] (KB931125) 

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

Attached Files



#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 30 November 2009 - 11:10 AM

Hi Dissection,



Since this puter belongs to corporate computers, I will leave the Hosts file as it is. The following message is always a reminder to the user running business computers.

If this computer has been connected to a network, other computers on the same network may have become infected. Therefore, my advice is to immediately inform your IT department so they may take immediate steps to inspect other computers that may have been exposed to this infection, and assist you with cleaning up your system as well. If you do not have an IT department, then you should have someone come in and inspect other computers that are connected to the network, and clean your system as well. It is quite possible that your IT department may decide it is in the best interest of the company for your computer to be reformatted and the operating system reinstalled.

Your infection apparently goes to flash drive virus. What concerns me most is this computer would be compromised or reinfected due to the process by accessing files with different undisinfected movable storage devices.

You should be more cautious about the same infections in the same network and show file extentions to delete any folders which may have exe extention as follows:

Posted Image

Other than that, your logs look good to me. :( If you have no remaining issues on your pc, let's do some tidy up and you should be good to go.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Download OTC by OldTimer and save it to your desktop.
  • Double click OTC and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Please remove all the tools and logs we have used. Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#14 Dissection

Dissection
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 02 December 2009 - 08:45 AM

Hi sundavis,

Thank you for helping me remove this pesky virus! Thanks for all the attention and the easy to follow instructions. I haven't had any exe file spawned in a week now (it used to spawn every day) - So I'm hoping it was purged :(

Just one question which bugs me, which program managed to remove it? I'm afraid we might run into it again, on other computers.

#15 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:59 AM

Posted 02 December 2009 - 10:50 PM

Hi Dissection,


Like i said, your infection apparantly goes to flash driver virus. Without nuking it, you can't get a clean system even if you try to start from scratch. Sometimes, flash driver virus may block rebuild image.

Basically, Flash_Disinfector will deal with the major type of flash driver virus, but things are changed slightly differently. We need to deploy the necessary programs and recheck it with different logs

to ensure the system had no other malicious threats around which might be accompanied with flash drive virus.

Glad to hear things got sorted. Take care! and safe surfing. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users