Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by multiple trojans/malware - please help


  • Please log in to reply
11 replies to this topic

#1 Tim Moll

Tim Moll

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 13 January 2010 - 03:49 AM

Hi,

I am new on the site and have already ran Malwarebytes Anti-Malware which cured some of my issues and at least sorted out so that my browser now works agin, however despite this showing that problems and threats were eliminated when I ran Kapersky online scanner as directed that showed that this was far from the case....I have been directed from the Security/Am I infected? What to do? forum to this one. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/286375/ie-not-opening-and-virusstrojans-detected/ ~ OB Any help direction you can provide to eliminate my issue once and for all would be very much appreciated. I have downloaded and ran both DDS and RoorRepeal and attach the logs below!

DDS Log

DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 0:41:20.55 on 13/01/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1535.416 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\vi32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\alle32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\VirusScan\mcconsol.exe
C:\Documents and Settings\Administrator.WII91R0R\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://wilber.wescast.com/
uInternet Connection Wizard,ShellNext = hxxp://wilber.wescast.com/
uInternet Settings,ProxyServer = proxy.wescast.com:8080
uInternet Settings,ProxyOverride = 10.*.*.*;*.wescast.com;192.168.*.*;
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {97b82807-c281-4d70-9d37-f744a51b74d5} - c:\windows\system32\cbXpOGyx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [mbssm32] c:\windows\system32\vi32.exe
mRun: []
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{06624881-cf7d-4f8a-86c0-5114b122e776}\Icon3E5562ED7.ico
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1263292718208
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1263292661205
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: jwq.dll c:\windows\system32\fulorepi.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {97b82807-c281-4d70-9d37-f744a51b74d5} - c:\windows\system32\cbXpOGyx.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\qoMdDwVL
LSA: Notification Packages = cli
Hosts: 192.168.0.5 HP0019BBE820E6

============= SERVICES / DRIVERS ===============

P2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2007-1-18 221191]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-12-19 59904]
R2 AM.EventService;Access Manager Event Service;c:\program files\remote services\AM.utEventServer.exe [2006-9-14 28672]
R2 AM.ScriptService;Access Manager Script Service;c:\program files\remote services\AM.blScriptEngine.exe [2006-9-14 28672]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [2004-3-23 35685]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-12-1 104000]
R2 MCIMonitor;MCI Monitor Service;c:\program files\remote services\wengine\wmonitor.exe [2006-1-24 69696]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2007-1-18 29184]
R3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver;c:\windows\system32\drivers\BW2NDIS5.SYS [2004-11-2 17536]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [2004-3-23 1912693]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2005-12-19 80384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2004-9-2 32640]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2005-12-19 117024]
S3 AM.InstallService;Access Manager Install Service;c:\program files\remote services\AM.InstallService.exe [2006-9-14 81920]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2004-10-28 278384]

=============== Created Last 30 ================

2010-01-13 00:10:38 0 d-----w- c:\documents and settings\administrator.wii91r0r\Tracing
2010-01-13 00:07:38 0 d-----w- c:\program files\Microsoft
2010-01-13 00:07:13 0 d-----w- c:\program files\Windows Live SkyDrive
2010-01-12 23:48:48 0 d-----w- c:\program files\common files\Windows Live
2010-01-12 19:22:17 0 d-----w- c:\windows\ie8updates
2010-01-12 19:09:04 594432 ----a-w- c:\windows\system32\SET28E.tmp
2010-01-12 19:09:03 55296 ----a-w- c:\windows\system32\SET28D.tmp
2010-01-12 19:09:03 184320 ----a-w- c:\windows\system32\SET292.tmp
2010-01-12 19:09:02 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-12 19:09:02 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-12 19:09:00 916480 ----a-w- c:\windows\system32\SET289.tmp
2010-01-12 19:09:00 1985536 ----a-w- c:\windows\system32\SET291.tmp
2010-01-12 19:09:00 1208832 ----a-w- c:\windows\system32\SET28A.tmp
2010-01-12 19:08:59 5940736 ----a-w- c:\windows\system32\SET28C.tmp
2010-01-12 19:08:57 11069952 ----a-w- c:\windows\system32\SET293.tmp
2010-01-12 19:08:29 726528 ----a-w- c:\windows\system32\SET285.tmp
2010-01-12 18:36:46 0 d-sh--w- c:\documents and settings\administrator.wii91r0r\IECompatCache
2010-01-12 18:35:58 0 d-sh--w- c:\documents and settings\administrator.wii91r0r\PrivacIE
2010-01-12 18:33:17 142 ----a-w- c:\windows\system32\spupdsvc.inf
2010-01-12 18:31:33 0 d-sh--w- c:\documents and settings\administrator.wii91r0r\IETldCache
2010-01-12 17:59:58 0 d-----w- c:\program files\MSXML 4.0
2010-01-12 17:49:23 0 d-----w- c:\windows\Offline Web Pages
2010-01-12 17:47:38 0 dc-h--w- c:\windows\ie8
2010-01-12 17:41:57 0 d-----w- c:\windows\system32\zh-HK
2010-01-12 17:35:03 0 d-----w- c:\windows\system32\KB905474
2010-01-12 17:08:59 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 17:08:34 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-12 17:06:50 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2010-01-12 17:06:38 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-12 17:06:06 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-12 17:05:44 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-01-12 17:05:35 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-12 17:04:56 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-12 12:20:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-12 12:20:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 12:12:06 4974 ----a-w- c:\documents and settings\administrator.wii91r0r\plugin131_03.trace
2010-01-12 12:12:03 0 d-----w- c:\documents and settings\administrator.wii91r0r\.java
2010-01-12 11:10:52 0 d-----w- C:\bd8dd3836c128a434c006ec0adb5
2010-01-12 11:10:39 0 d-----w- c:\windows\SxsCaPendDel
2010-01-12 10:40:12 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-01-12 09:33:32 0 d-----w- c:\docume~1\admini~1.wii\applic~1\Malwarebytes
2010-01-12 09:33:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 09:33:21 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 09:33:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-12 09:33:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-30 22:27:36 2713 --sh--w- c:\windows\system32\tupopazo.exe

==================== Find3M ====================

2009-10-29 07:46:52 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\SET2BA.tmp
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\SET2BB.tmp
2009-10-15 16:28:26 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-10-15 16:28:26 119808 ----a-w- c:\windows\system32\t2embed.dll
1601-01-01 00:12:31 64306 -csha-w- c:\windows\system32\jawuzela.dll
2008-11-03 20:58:28 753295 -csha-w- c:\windows\system32\LVwDdMoq.ini2
2009-02-09 15:49:45 2713 -csh--w- c:\windows\system32\mileyige.exe
2009-08-17 12:10:01 2713 -csh--w- c:\windows\system32\mitafawu.exe
2009-05-28 16:42:46 2713 -csh--w- c:\windows\system32\nerinege.exe
2008-08-07 09:52:02 510578 -csha-w- c:\windows\system32\NppXwGgh.ini2
2009-04-20 14:25:13 107520 -csha-w- c:\windows\system32\risowupa.dll
2009-01-21 13:55:26 133392 -csha-w- c:\windows\system32\telowewa.dll
2009-01-20 07:34:33 100643 -csha-w- c:\windows\system32\tojedela.dll
1601-01-01 00:12:31 64306 -csha-w- c:\windows\system32\viyogula.dll
2009-07-29 10:57:21 178688 -csha-w- c:\windows\system32\vulojedu.dll
2009-04-06 13:37:51 108032 -csha-w- c:\windows\system32\wehazibi.dll
2009-04-15 10:12:54 69120 -csha-w- c:\windows\system32\yitefuko.dll
2009-04-09 13:04:10 108544 -csha-w- c:\windows\system32\yurebuju.dll
2009-04-07 12:02:06 107008 -csha-w- c:\windows\system32\zudovase.dll
2009-02-12 15:54:39 2713 -csh--w- c:\windows\system32\zugovela.exe
2008-08-18 16:52:40 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat

============= FINISH: 0:41:40.61 ===============

RootRepeal Log

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/12 19:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1E4A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP6542
Image Path: \Driver\PCI_NTPNP6542
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7445000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\config.msi\3a66aa.rbs
Status: Allocation size mismatch (API: 5242880, Raw: 5177344)

Path: C:\WINDOWS\$hf_mig$\KB970430\SP3QFE
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB970430\spmsg.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB970430\spuninst.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB970430\update
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB971737\spmsg.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB971737\spuninst.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB971737\update
Status: Visible to the Windows API, but not on disk.

Path: c:\windows\softwaredistribution\datastore\datastore.edb
Status: Allocation size mismatch (API: 14753792, Raw: 14757888)

Path: C:\Documents and Settings\Administrator.WII91R0R\Local Settings\Temp\mpengine.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator.WII91R0R\Local Settings\Temp\TMP00000001B6CB37E1CC12A533
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator.wii91r0r\local settings\temp\~dfda9c.tmp
Status: Allocation size mismatch (API: 65536, Raw: 16384)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000no.msg
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\certificatemaintenanceendpoint\0000002a.msg
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002m.msg
Status: Allocation size mismatch (API: 49152, Raw: 45056)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_cleanup\00000019.msg
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\0000008n.msg
Status: Allocation size mismatch (API: 24576, Raw: 8192)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\amp_[http]mp_locationmanager\0000004q.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\0000007b.msg
Status: Allocation size mismatch (API: 98304, Raw: 69632)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\0000007c.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf729f0d0

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0x87ff8109

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf72a4e2c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf72a51ba

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf729f0b0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf72a5292

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf72a5112

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf72a5324

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe29fe818 Size: -

Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe17c6020 Size: -

Object: Hidden Handle [Index: 4100, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe1538818 Size: -

Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe2386818 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x88da81e8 Size: 121

==EOF==

Attached Files


Edited by Orange Blossom, 13 January 2010 - 09:57 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:06 PM

Posted 16 January 2010 - 10:19 PM

Hello Tim Moll,

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Select Files and Folders created in last 3 months
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Note 1: The logs will be created in this folder: C:\rsit

Note 2: The tool takes not more than one minute to scan the system.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 17 January 2010 - 04:34 PM

Hi Mike and many thanks for the reply, please find below the logs....

info.txt

info.txt logfile of random's system information tool 1.06 2010-01-17 18:27:54

======Uninstall list======

.NET Framework Machine Code Access Security Policy-->MsiExec.exe /I{1B168BAE-B6C7-46E1-BDCD-A6BBF8F56957}
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {90920B55-78C5-4EB8-BB11-B96EFEAF7DF6}
-->MsiExec.exe /I{0ADEA8E1-B211-41B8-8DD4-D9A5FB04A5FA}
-->MsiExec.exe /I{267D350E-51AB-40B8-AF9F-DA7ED5687044}
-->MsiExec.exe /I{7A9DC8F6-2466-4E04-BF51-BE499C5D02BD}
-->MsiExec.exe /I{85BD5F12-49EF-4B40-B1E0-77D85F6E99BF}
-->MsiExec.exe /I{EA9741F6-A7F2-497B-BBE4-2ED0136649BE}
-->MsiExec.exe /X{C628EC93-8E17-4114-BCE7-2D181B93FA0F}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{02FB2C63-5763-4CDD-99E6-566C57189742}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3881DD58-780F-4FCF-8A16-6E6800C2FEE0}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9225EABF-4457-403B-A82B-91614C9DDDF7}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9EFF51A-C925-4F1A-9DEB-DB5F970DE983}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E9CCEA28-3608-4078-8A07-997646E1A357}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD7FF74D-0AB5-48D6-929C-7E93A5162521}\setup.exe" -l0x9 -removeonly
-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Access Manager-->MsiExec.exe /X{5CCD0F3E-4B58-4712-A761-CBD5871F0B68}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agere Systems AC'97 Modem-->agrsmdel
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI HYDRAVISION-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
BBC Clock Screen Saver-->C:\WINDOWS\system32\BBC Clock.scr /u
BBC Globe Screen Saver-->C:\WINDOWS\system32\BBC Globe.scr /u
BlackBerry Desktop Software 4.3-->MsiExec.exe /I{3AE87269-BD57-4A58-B13D-FC67664BCFB8}
BlackBerry Desktop Software 4.3-->MsiExec.exe /i{3AE87269-BD57-4A58-B13D-FC67664BCFB8}
Broadcom NetXtreme Ethernet Controller-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Chinese Simplified Fonts Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-2447-0000-800000000003}
Cisco IP Communicator-->MsiExec.exe /I{1EF537DA-E213-4F59-8563-28BCB3B8B464}
Cisco Systems VPN Client 4.6.02.0011-->MsiExec.exe /X{06624881-CF7D-4F8A-86C0-5114B122E776}
DBPix20-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\DBPix 2.0\Uninst.isu"
DWG TrueView 2007-->MsiExec.exe /I{2CD6BBA0-17C8-4789-9B9B-B36F7E815F6A}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.0 (KB932471)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {ECD292A0-0347-4244-8C24-5DBCE990FB40} /package {BAF78226-3200-4DB4-BE33-4D922A799840}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HP Customer Participation Program 7.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Document Viewer 7.0-->C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Imaging Device Functions 7.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential-->MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Photosmart Premier Software 6.5-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Photosmart, Officejet and Deskjet 7.0.A-->C:\Program Files\HP\Digital Imaging\{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}\setup\hpzscr01.exe -datfile hposcr11.dat
HP Solution Center 7.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Intel® Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
InterVideo DVD Check-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D97A4A7-C274-4B63-86D9-07A33435F505}\setup.exe" REMOVEALL
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java 2 Runtime Environment Standard Edition v1.3.1_03-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_03\Uninst.isu"
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee VirusScan Enterprise-->MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDrWiFi-->MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mGina-->MsiExec.exe /I{DF6B8EA9-32CF-4937-BADF-6CF43313C9FC}
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Project 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {9E73617F-2F38-4864-BD61-BB2DDFE43323}
Microsoft Office Project 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00B4-0409-0000-0000000FF1CE} /uninstall {27A9D316-D332-433B-8EB1-1D93EE49F26D}
Microsoft Office Project MUI (English) 2007-->MsiExec.exe /X{90120000-00B4-0409-0000-0000000FF1CE}
Microsoft Office Project Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PRJPRO /dll OSETUP.DLL
Microsoft Office Project Professional 2007-->MsiExec.exe /X{90120000-003B-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Visio Viewer 2003 (English)-->MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mSSO-->MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
OCR Software by I.R.I.S 7.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Panerai 1.0-->"C:\Program Files\Panerai\unins000.exe"
Roxio Media Manager-->MsiExec.exe /X{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}
Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB976325)-->"C:\WINDOWS\ie7updates\KB976325-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Snapshot Viewer 9.0-->C:\Program Files\Snapshot Viewer\Setup\Setup.exe /T snap90.stf
Sony Picture Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" -l0x9 UNINSTALL -removeonly
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Teamcenter Enterprise 3.1 WebPD-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{CCBB8943-BA91-11D6-ABF9-001083799160} /l1033
Tweak UI-->C:\WINDOWS\rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 4 C:\WINDOWS\Inf\Tweakui.Inf
UGS JT2Go-->MsiExec.exe /I{07D2750B-D757-434F-B3F5-13F95475C179}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Outlook 2007 Junk Email Filter (kb977839)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C568005C-5FC6-4C81-A664-BD136610A931}
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
WebEx-->C:\PROGRA~1\WebEx\atcliun.exe
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Internet Explorer 7 Multilingual User Interface (MUI)-->"C:\WINDOWS\ie7updates\IE7-MUI\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122-->"C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Hosts File======

127.0.0.1 localhost
192.168.0.5 HP0019BBE820E6

======System event log======

Computer Name: WII81QZ6
Event Code: 4
Message: Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.

Record Number: 190895
Source Name: b57w2k
Time Written: 20100112085905.000000+000
Event Type: warning
User:

Computer Name: WII81QZ6
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 190890
Source Name: W32Time
Time Written: 20091230180552.000000+000
Event Type: error
User:

Computer Name: WII81QZ6
Event Code: 29
Message: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Record Number: 190621
Source Name: W32Time
Time Written: 20091230175553.000000+000
Event Type: error
User:

Computer Name: WII81QZ6
Event Code: 17
Message: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Record Number: 190620
Source Name: W32Time
Time Written: 20091230175553.000000+000
Event Type: error
User:

Computer Name: WII81QZ6
Event Code: 1007
Message: Your computer has automatically configured the IP address for the Network
Card with network address 0015001084E6. The IP address being used is 169.254.102.64.

Record Number: 190613
Source Name: Dhcp
Time Written: 20091230175552.000000+000
Event Type: warning
User:

=====Application event log=====

Computer Name: WII81QZ6
Event Code: 257
Message: VirusScan Enterprise: The update failed; see event log.(from WII81QZ6 IP 192.168.0.3 user SYSTEM running VirusScan Ent. 8.0.0 UPD)

Record Number: 21879
Source Name: Alert Manager Event Interface
Time Written: 20090526070814.000000+060
Event Type: error
User:

Computer Name: WII81QZ6
Event Code: 5000
Message: EventType officelifeboathang, P1 outlook.exe, P2 12.0.6212.1000, P3 ntdll.dll, P4 5.1.2600.5512, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Record Number: 21878
Source Name: Microsoft Office 12
Time Written: 20090526070551.000000+060
Event Type: error
User:

Computer Name: WII81QZ6
Event Code: 5000
Message: EventType officelifeboathang, P1 outlook.exe, P2 12.0.6212.1000, P3 ntdll.dll, P4 5.1.2600.5512, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Record Number: 21877
Source Name: Microsoft Office 12
Time Written: 20090526070423.000000+060
Event Type: error
User:

Computer Name: WII81QZ6
Event Code: 1054
Message: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Record Number: 21873
Source Name: Userenv
Time Written: 20090526065605.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: WII81QZ6
Event Code: 15
Message: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Record Number: 21857
Source Name: AutoEnrollment
Time Written: 20090526065540.000000+060
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\EDS\Teamcenter\3.1\bin\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Autodesk\DWG TrueView\;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"NLS_LOCALE"=en_us
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\

-----------------EOF-----------------

log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2010-01-17 18:18:04
Microsoft Windows XP Professional Service Pack 3
System drive C: has 45 GB (78%) free of 57 GB
Total RAM: 1535 MB (19% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:45, on 17/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Remote Services\AM.utEventServer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Remote Services\WENGINE\wmonitor.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Remote Services\AM.blScriptEngine.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\vi32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
c:\windows\system32\alle32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Administrator.WII91R0R\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wilber.wescast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wilber.wescast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.wescast.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*.*.*;*.wescast.com;192.168.*.*;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {97B82807-C281-4D70-9D37-F744A51B74D5} - C:\WINDOWS\system32\cbXpOGyx.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [mbssm32] C:\WINDOWS\system32\vi32.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [naterefuya] Rundll32.exe "C:\WINDOWS\system32\kiganopo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [naterefuya] Rundll32.exe "C:\WINDOWS\system32\kiganopo.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1263292718208
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1263292661205
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wescast.com
O17 - HKLM\Software\..\Telephony: DomainName = wescast.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wescast.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wescast.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = wescast.com
O20 - AppInit_DLLs: jwq.dll c:\windows\system32\fulorepi.dll ,
O23 - Service: Access Manager Event Service (AM.EventService) - MCI, Inc. - C:\Program Files\Remote Services\AM.utEventServer.exe
O23 - Service: Access Manager Install Service (AM.InstallService) - MCI, Inc. - C:\Program Files\Remote Services\AM.InstallService.exe
O23 - Service: Access Manager Script Service (AM.ScriptService) - MCI, Inc. - C:\Program Files\Remote Services\AM.blScriptEngine.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: MCI Monitor Service (MCIMonitor) - Boingo Wireless, Inc. - C:\Program Files\Remote Services\WENGINE\wmonitor.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (WinVNC) - Unknown owner - WinVNC.exe (file missing)
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12298 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\OGALogon.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97B82807-C281-4D70-9D37-F744A51B74D5}]
C:\WINDOWS\system32\cbXpOGyx.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-12 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-12 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe [2004-10-14 1388544]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2004-09-23 860160]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2005-02-02 102492]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2005-02-02 692316]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-01-20 339968]
"WatchDog"=C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2004-12-08 184320]
"Tweak UI"=TWEAKUI.CPL,TweakMeUp []
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-04 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UdaterUI.exe [2006-11-17 136768]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-04-13 88209]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-12-21 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-12-21 126976]
"ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [2004-09-22 98304]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2006-08-01 802816]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2006-08-01 696320]
"mbssm32"=C:\WINDOWS\system32\vi32.exe [2007-10-03 533056]
""= []
"RoxWatchTray"=C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-08-16 236016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2010-01-12 149280]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
VPN Client.lnk - C:\WINDOWS\Installer\{06624881-CF7D-4F8A-86C0-5114B122E776}\Icon3E5562ED7.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="jwq.dll c:\windows\system32\fulorepi.dll , "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-01-19 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-12-21 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{97B82807-C281-4D70-9D37-F744A51B74D5}"=C:\WINDOWS\system32\cbXpOGyx.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\qoMdDwVL
"notification packages"=cli

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoWelcomeScreen"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Disabled:Microsoft Office Outlook"
"C:\Program Files\HP\HP Software Update\HPWUCli.exe"="C:\Program Files\HP\HP Software Update\HPWUCli.exe:*:Disabled:HP Software Update Client"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe"="C:\Program Files\Roxio\Media Manager 9\MediaManager9.exe:*:Disabled:MediaManager9 Module"
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe"="C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe"="C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Disabled:RoxioUPnPRenderer9"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"D:\setup\HPZNET01.EXE"="D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\alle32.exe"="C:\WINDOWS\system32\alle32.exe:*:Enabled:alle32"
"C:\WINDOWS\system32\wbem\wmiapsrv.exe"="C:\WINDOWS\system32\wbem\wmiapsrv.exe:*:Enabled:wmiapsrv"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32"
"C:\WINDOWS\system32\HPZipm12.exe"="C:\WINDOWS\system32\HPZipm12.exe:*:Enabled:HPZipm12"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\Program Files\Kontiki\KHost.exe"="C:\Program Files\Kontiki\KHost.exe:*:Enabled:KHost"
"C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe"="C:\Program Files\Cisco Systems\Cisco IP Communicator\Communicator.exe:*:Enabled:Cisco IP Communicator"
"%windir%\system32\lsass.exe"="%windir%\system32\lsass.exe:*:Enabled:Local Security Authority Subsystem Service"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe"="C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe:*:Enabled:RoxioUPnPRenderer9"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d34a20c1-70f5-11da-ab11-806d6172696f}]
shell\AutoRun\command - D:\Programs\nu2menu\nu2menu.exe


======List of files/folders created in the last 3 months======

2010-01-17 18:18:04 ----D---- C:\rsit
2010-01-17 18:18:04 ----D---- C:\Program Files\trend micro
2010-01-13 13:13:54 ----D---- C:\Program Files\WebEx
2010-01-13 00:07:38 ----D---- C:\Program Files\Microsoft
2010-01-13 00:07:13 ----D---- C:\Program Files\Windows Live SkyDrive
2010-01-13 00:06:44 ----D---- C:\Program Files\Windows Live
2010-01-12 23:48:48 ----D---- C:\Program Files\Common Files\Windows Live
2010-01-12 19:32:16 ----A---- C:\RootRepeal report 01-12-10 (19-32-16).txt
2010-01-12 19:25:30 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-01-12 19:23:17 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-01-12 19:23:04 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-01-12 19:22:17 ----D---- C:\WINDOWS\ie8updates
2010-01-12 18:03:47 ----A---- C:\WINDOWS\system32\MRT.exe
2010-01-12 18:03:35 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-01-12 18:03:22 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-12 18:03:14 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-01-12 18:03:07 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-01-12 18:02:58 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2010-01-12 18:02:53 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2010-01-12 18:02:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-01-12 18:02:34 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$
2010-01-12 18:00:24 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-01-12 18:00:10 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-01-12 17:59:58 ----D---- C:\Program Files\MSXML 4.0
2010-01-12 17:56:03 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-01-12 17:55:49 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-01-12 17:55:38 ----HDC---- C:\WINDOWS\$NtUninstallKB971486$
2010-01-12 17:55:29 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-01-12 17:55:19 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-01-12 17:55:11 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-01-12 17:55:02 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-01-12 17:54:52 ----HDC---- C:\WINDOWS\$NtUninstallKB973525$
2010-01-12 17:50:18 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$
2010-01-12 17:50:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-01-12 17:50:02 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-01-12 17:49:23 ----D---- C:\WINDOWS\Offline Web Pages
2010-01-12 17:47:38 ----HDC---- C:\WINDOWS\ie8
2010-01-12 17:42:01 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2010-01-12 17:41:57 ----D---- C:\WINDOWS\system32\zh-HK
2010-01-12 17:41:46 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-01-12 17:41:39 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-01-12 17:41:32 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-01-12 17:41:22 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-01-12 17:41:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2010-01-12 17:41:04 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-01-12 17:40:57 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-01-12 17:40:44 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-01-12 17:40:30 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2010-01-12 17:39:15 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2010-01-12 17:37:50 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-01-12 17:37:40 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-01-12 17:36:40 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-01-12 17:36:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-01-12 17:36:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-01-12 17:36:05 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-01-12 17:35:53 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-01-12 17:34:54 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-01-12 17:34:45 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-01-12 17:34:09 ----HDC---- C:\WINDOWS\$NtUninstallKB961118$
2010-01-12 17:33:58 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-01-12 17:33:52 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-01-12 17:33:45 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-01-12 17:33:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2010-01-12 17:33:32 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2010-01-12 17:33:24 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-01-12 17:33:18 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-01-12 17:33:06 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2010-01-12 17:31:24 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-01-12 17:31:18 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-01-12 17:31:11 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-01-12 17:31:04 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2010-01-12 17:30:58 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-01-12 17:30:49 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-01-12 17:30:35 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2010-01-12 17:30:01 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-01-12 17:29:46 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-01-12 17:08:34 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2010-01-12 12:22:43 ----D---- C:\WINDOWS\Sun
2010-01-12 12:20:27 ----A---- C:\WINDOWS\system32\javaws.exe
2010-01-12 12:20:27 ----A---- C:\WINDOWS\system32\javaw.exe
2010-01-12 12:20:27 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-01-12 12:20:26 ----A---- C:\WINDOWS\system32\java.exe
2010-01-12 12:17:54 ----D---- C:\Documents and Settings\Administrator.WII91R0R\Application Data\Sun
2010-01-12 11:10:52 ----D---- C:\bd8dd3836c128a434c006ec0adb5
2010-01-12 11:10:39 ----D---- C:\WINDOWS\SxsCaPendDel
2010-01-12 10:40:12 ----A---- C:\WINDOWS\system32\wuapi.dll.mui
2010-01-12 10:35:48 ----D---- C:\Documents and Settings\Administrator.WII91R0R\Application Data\Adobe
2010-01-12 09:33:32 ----D---- C:\Documents and Settings\Administrator.WII91R0R\Application Data\Malwarebytes
2010-01-12 09:33:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-12 09:33:20 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-01-12 09:18:52 ----D---- C:\Documents and Settings\Administrator.WII91R0R\Application Data\HP
2009-12-30 22:27:36 ----SH---- C:\WINDOWS\system32\tupopazo.exe
2009-10-29 07:46:52 ----N---- C:\WINDOWS\system32\ieencode.dll

======List of files/folders modified in the last 3 months======

2010-01-17 18:18:04 ----RD---- C:\Program Files
2010-01-17 18:06:39 ----D---- C:\WINDOWS\Prefetch
2010-01-17 17:53:00 ----D---- C:\WINDOWS\Temp
2010-01-17 17:39:50 ----D---- C:\WINDOWS
2010-01-17 17:36:09 ----A---- C:\WINDOWS\SMSCFG.ini
2010-01-17 02:19:11 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-14 08:30:59 ----D---- C:\quarantine
2010-01-13 12:28:49 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-13 08:21:29 ----D---- C:\WINDOWS\system32
2010-01-13 08:21:29 ----AC---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-01-13 08:16:35 ----HD---- C:\Config.Msi
2010-01-13 08:16:35 ----D---- C:\Program Files\Internet Explorer
2010-01-13 00:10:34 ----SD---- C:\Documents and Settings\Administrator.WII91R0R\Application Data\Microsoft
2010-01-13 00:08:27 ----SHD---- C:\WINDOWS\Installer
2010-01-13 00:07:19 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-01-13 00:07:19 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-01-13 00:06:24 ----HD---- C:\WINDOWS\inf
2010-01-12 23:48:48 ----D---- C:\Program Files\Common Files
2010-01-12 19:25:34 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-12 19:25:30 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-12 19:25:26 ----D---- C:\WINDOWS\WinSxS
2010-01-12 19:24:58 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-01-12 19:23:24 ----A---- C:\WINDOWS\imsins.BAK
2010-01-12 19:23:08 ----D---- C:\WINDOWS\system32\drivers
2010-01-12 19:20:58 ----RSD---- C:\WINDOWS\assembly
2010-01-12 19:16:39 ----RSD---- C:\WINDOWS\Fonts
2010-01-12 19:15:56 ----D---- C:\Program Files\Microsoft Works
2010-01-12 19:13:40 ----A---- C:\WINDOWS\win.ini
2010-01-12 18:52:18 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-01-12 18:52:09 ----D---- C:\Program Files\Common Files\Adobe
2010-01-12 18:52:09 ----D---- C:\Program Files\Adobe
2010-01-12 18:35:35 ----SD---- C:\WINDOWS\Tasks
2010-01-12 18:34:00 ----D---- C:\WINDOWS\system32\CatRoot
2010-01-12 18:16:58 ----D---- C:\WINDOWS\Microsoft.NET
2010-01-12 18:09:17 ----D---- C:\WINDOWS\system32\wbem
2010-01-12 18:09:17 ----D---- C:\WINDOWS\system32\en-US
2010-01-12 18:09:17 ----D---- C:\WINDOWS\Media
2010-01-12 18:09:17 ----D---- C:\WINDOWS\Help
2010-01-12 18:09:17 ----D---- C:\WINDOWS\AppPatch
2010-01-12 17:41:57 ----D---- C:\WINDOWS\system32\zh-tw
2010-01-12 17:41:57 ----D---- C:\WINDOWS\system32\tr-tr
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\sv-se
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\pt-br
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\nl-nl
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\nb-no
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\ko-kr
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\it-it
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\he-il
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\fr-fr
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\fi-fi
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\es-es
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\el-gr
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\de-de
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\da-dk
2010-01-12 17:41:56 ----D---- C:\WINDOWS\system32\ar-sa
2010-01-12 17:41:16 ----D---- C:\Program Files\Outlook Express
2010-01-12 17:31:07 ----D---- C:\Program Files\Messenger
2010-01-12 12:19:37 ----D---- C:\Program Files\Java
2010-01-12 11:11:56 ----D---- C:\WINDOWS\system32\XPSViewer
2010-01-12 10:47:35 ----D---- C:\WINDOWS\SoftwareDistribution
2010-01-12 10:39:09 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-01-12 10:30:16 ----HDC---- C:\WINDOWS\ie7
2010-01-12 10:28:35 ----D---- C:\Program Files\Angle Interactive
2010-01-12 09:17:44 ----AC---- C:\WINDOWS\OEWABLog.txt
2009-12-31 18:46:02 ----D---- C:\Documents and Settings\All Users\Application Data\Kontiki
2009-12-07 14:03:41 ----SHD---- C:\WINDOWS\CSC
2009-10-29 07:46:51 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-10-29 07:45:38 ----A---- C:\WINDOWS\system32\wininet.dll
2009-10-29 07:45:37 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-10-29 07:45:37 ----A---- C:\WINDOWS\system32\occache.dll
2009-10-29 07:45:37 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-10-29 07:45:35 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-10-29 07:45:35 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-10-29 07:45:35 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-10-29 07:45:34 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-10-29 07:45:34 ----A---- C:\WINDOWS\system32\iepeers.dll
2009-10-29 07:45:33 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-10-29 07:45:32 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-10-28 15:07:15 ----N---- C:\WINDOWS\system32\tzchange.exe
2009-10-28 14:40:47 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-10-26 20:46:29 ----AC---- C:\WINDOWS\system32\omginstlog.txt
2009-10-21 05:38:36 ----A---- C:\WINDOWS\system32\strmfilt.dll
2009-10-21 05:38:36 ----A---- C:\WINDOWS\system32\httpapi.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-02-02 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-02-02 9464]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2007-01-18 59904]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.5.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2007-07-18 21419]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver; C:\WINDOWS\system32\DRIVERS\CdpPacket.sys [2004-03-23 35685]
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-08-02 12544]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2004-11-08 127744]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2005-04-13 1066278]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-01-19 965632]
R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-11-16 190592]
R3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\BW2NDIS5.sys [2004-11-02 17536]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 Cpmt;Cisco Media Termination; C:\WINDOWS\System32\Drivers\Cpmt.sys [2004-03-23 1912693]
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2004-11-03 146888]
R3 EntDrv51;EntDrv51; \??\C:\WINDOWS\system32\drivers\EntDrv51.sys []
R3 GTIPCI21;GTIPCI21; C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 80384]
R3 idisw2km;idisw2km; C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2006-02-09 8992]
R3 IFXTPM;IFXTPM; C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS [2004-09-02 32640]
R3 kbstuff;SMS Virtual Keyboard; C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2006-02-09 11744]
R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2007-01-18 117024]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2004-08-04 5888]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2004-10-13 259840]
R3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\system32\DRIVERS\serscan.sys [2001-08-17 6784]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2005-02-02 191456]
R3 tifm21;tifm21; C:\WINDOWS\system32\drivers\tifm21.sys [2005-03-16 159488]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2006-06-30 2206720]
S1 eabfiltr;EABFiltr; \??\C:\WINDOWS\system32\drivers\EABFiltr.sys []
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-02-08 5185]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-13 49664]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-13 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-13 21568]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-12-21 776349]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MXOPSWD;Maxtor OneTouch Security Driver; C:\WINDOWS\system32\DRIVERS\mxopswd.sys [2005-04-06 15360]
S3 NaiAvFilter101;NAI Anti Virus; \Device\NaiAvFilter101.sys []
S3 prepdrvr;SMS Process Event Driver; \??\C:\WINDOWS\system32\CCM\prepdrv.sys []
S3 RimUsb;BlackBerry Smartphone; C:\WINDOWS\System32\Drivers\RimUsb.sys [2007-05-31 22656]
S3 SMCIRDA;SMSC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2004-06-16 46080]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AM.EventService;Access Manager Event Service; C:\Program Files\Remote Services\AM.utEventServer.exe [2006-09-14 28672]
R2 AM.ScriptService;Access Manager Script Service; C:\Program Files\Remote Services\AM.blScriptEngine.exe [2006-09-14 28672]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-01-19 344064]
R2 CcmExec;SMS Agent Host; C:\WINDOWS\system32\CCM\CcmExec.exe [2006-02-09 578784]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2005-02-10 1409048]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-08-01 434176]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-12 153376]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2005-03-17 38912]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2006-11-17 104000]
R2 MCIMonitor;MCI Monitor Service; C:\Program Files\Remote Services\WENGINE\wmonitor.exe [2006-01-24 69696]
R2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\Mcshield.exe [2007-01-18 221191]
R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe [2007-01-18 29184]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-08-01 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-08-01 937984]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 WLANKEEPER;Intel® PROSet/Wireless SSO Service; C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe [2006-08-01 290816]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R2 Wuser32;SMS Remote Control Agent; C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2006-02-09 248544]
S2 MaxBackServiceInt;MaxBackServiceInt; C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe []
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2007-07-24 358896]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-08-16 309744]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-08-16 166384]
S3 AM.InstallService;Access Manager Install Service; C:\Program Files\Remote Services\AM.InstallService.exe [2006-09-14 81920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 HP Port Resolver;HP Port Resolver; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE [2005-05-20 81920]
S3 HP Status Server;HP Status Server; C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE [2004-10-16 73728]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2007-07-24 88560]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-08-16 1092080]
S3 WinVNC;VNC Server; WinVNC.exe -service []
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:06 PM

Posted 17 January 2010 - 06:44 PM

Hi Tim Moll,

Many files have been removed since you last posted.
Did you do that?

What symptoms are you seeing?

Is this a business, work or corporate computer?
I see you are running McAfee VirusScan Enterprise which is run by corporations.
Do you know how to disable it?



Edited by SifuMike, 17 January 2010 - 06:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 17 January 2010 - 07:00 PM

Hi Mike,

I have re-run Malwarebytes Anti-Malware a couple of times but that is it. The laptop was an ex-works one which is why it has the enterprise version of McAfee running. I know how to disable the on access scanner but not it completely other than going in to msconfig and telling it not to startup.

Tim

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:06 PM

Posted 17 January 2010 - 07:24 PM

Hi Tim,

QUOTE
The laptop was an ex-works one which is why it has the enterprise version of McAfee running.

McAfee products are generally core hogs and slow computers.
If you want to get rid of McAfee VirusScan Enterprise there are tfree anvirus programs you can install.



We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee VirusScan Enterprise before running ComboFix, as it will prevent it from running.

If you cant disable McAfee VirusScan Enterprise, then you will have to uninstall it.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop. <==IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log. The log will be save as C:\ComboFix.txt

Edited by SifuMike, 17 January 2010 - 07:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 18 January 2010 - 05:29 AM

Hi Mike,

Please find below the ComboFix Log.

ComboFix 10-01-17.02 - Administrator 18/01/2010 10:08:22.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1535.1091 [GMT 0:00]
Running from: c:\documents and settings\Administrator.WII91R0R\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\alletv\Application Data\Microsoft\SystemBackup\winload.dll
c:\recycler\S-1-5-21-2015975547-2879303852-3464421488-500
c:\recycler\S-1-5-21-3840715228-2935352263-272279454-500
c:\recycler\S-1-5-21-413565274-4226273451-1675445562-500
c:\windows\EventSystem.log
c:\windows\system32\cbXpOGyx.dll
c:\windows\system32\dibafeya.dll.tmp
c:\windows\system32\drccdcbo.ini
c:\windows\system32\fcnliiep.dll
c:\windows\system32\feahmbmg.ini
c:\windows\system32\gusogire.dll.tmp
c:\windows\system32\gwqeyvbo.ini
c:\windows\system32\ippiaqmh.ini
c:\windows\system32\jcofjecl.ini
c:\windows\system32\klhfdokc.dll
c:\windows\system32\logs
c:\windows\system32\logs\WII_011.ISN
c:\windows\system32\LVwDdMoq.ini
c:\windows\system32\LVwDdMoq.ini2
c:\windows\system32\lxybxlgd.dll
c:\windows\system32\mileyige.exe
c:\windows\system32\mitafawu.exe
c:\windows\system32\nerinege.exe
c:\windows\system32\nigavimi.dll
c:\windows\system32\NppXwGgh.ini
c:\windows\system32\NppXwGgh.ini2
c:\windows\system32\nxwvqgsr.dll
c:\windows\system32\paduzebe.dll
c:\windows\system32\qybqkuby.ini
c:\windows\system32\risowupa.dll
c:\windows\system32\rteqidqt.ini
c:\windows\system32\sgtqrsmt.dll
c:\windows\system32\sheeotsq.ini
c:\windows\system32\smsyxbwm.ini
c:\windows\system32\sthevpcx.ini
c:\windows\system32\svpcxboe.ini
c:\windows\system32\tupopazo.exe
c:\windows\system32\u2g.f
c:\windows\system32\wehazibi.dll
c:\windows\system32\yitefuko.dll
c:\windows\system32\yurebuju.dll
c:\windows\system32\zudovase.dll
c:\windows\system32\zugovela.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 09:26 . 2010-01-18 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-17 18:18 . 2010-01-17 18:27 -------- d-----w- C:\rsit
2010-01-17 18:18 . 2010-01-17 18:27 -------- d-----w- c:\program files\trend micro
2010-01-14 09:22 . 2010-01-14 09:22 -------- d-----w- c:\documents and settings\alletv\Tracing
2010-01-13 14:57 . 2010-01-13 14:57 -------- d-----w- c:\documents and settings\alletv\Application Data\Malwarebytes
2010-01-13 13:15 . 2010-01-13 13:15 -------- d-----w- c:\documents and settings\alletv\Application Data\webex
2010-01-13 13:13 . 2010-01-13 13:14 -------- d-----w- c:\program files\WebEx
2010-01-13 12:24 . 2010-01-13 12:24 -------- d-sh--w- c:\documents and settings\alletv\IECompatCache
2010-01-13 12:24 . 2010-01-13 12:24 -------- d-sh--w- c:\documents and settings\alletv\PrivacIE
2010-01-13 12:22 . 2010-01-13 12:22 -------- d-sh--w- c:\documents and settings\alletv\IETldCache
2010-01-13 00:10 . 2010-01-18 10:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Tracing
2010-01-13 00:07 . 2010-01-13 00:07 -------- d-----w- c:\program files\Microsoft
2010-01-13 00:07 . 2010-01-13 00:07 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-13 00:06 . 2010-01-13 00:07 -------- d-----w- c:\program files\Windows Live
2010-01-12 23:48 . 2010-01-12 23:48 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-12 19:22 . 2010-01-12 19:22 -------- d-----w- c:\windows\ie8updates
2010-01-12 19:09 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-12 19:09 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-12 18:47 . 2010-01-12 18:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-12 18:46 . 2010-01-12 18:47 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\Adobe
2010-01-12 18:36 . 2010-01-12 18:36 -------- d-sh--w- c:\documents and settings\Administrator.WII91R0R\IECompatCache
2010-01-12 18:35 . 2010-01-12 18:35 -------- d-sh--w- c:\documents and settings\Administrator.WII91R0R\PrivacIE
2010-01-12 18:31 . 2010-01-12 18:31 -------- d-sh--w- c:\documents and settings\Administrator.WII91R0R\IETldCache
2010-01-12 18:12 . 2010-01-12 18:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-12 17:59 . 2010-01-12 17:59 -------- d-----w- c:\program files\MSXML 4.0
2010-01-12 17:47 . 2010-01-12 17:49 -------- dc-h--w- c:\windows\ie8
2010-01-12 17:41 . 2010-01-12 17:41 -------- d-----w- c:\windows\system32\zh-HK
2010-01-12 17:31 . 2010-01-12 17:31 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\Microsoft Help
2010-01-12 17:09 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-12 17:09 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-12 17:09 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-12 17:09 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-12 17:09 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-12 17:09 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-12 17:09 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-12 17:09 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-12 17:09 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 17:09 . 2009-08-04 20:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 17:08 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 17:08 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-12 17:06 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-12 17:06 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-12 17:05 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-01-12 17:05 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-12 17:04 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-12 12:22 . 2010-01-12 12:22 -------- d-----w- c:\windows\Sun
2010-01-12 12:20 . 2010-01-12 12:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 12:19 . 2010-01-12 12:19 152576 ----a-w- c:\documents and settings\Administrator.WII91R0R\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-12 12:17 . 2010-01-12 12:17 79488 ----a-w- c:\documents and settings\Administrator.WII91R0R\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-12 12:12 . 2010-01-12 12:12 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\.java
2010-01-12 11:10 . 2010-01-12 11:11 -------- d-----w- C:\bd8dd3836c128a434c006ec0adb5
2010-01-12 11:10 . 2010-01-12 16:34 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-12 09:33 . 2010-01-12 09:33 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Application Data\Malwarebytes
2010-01-12 09:33 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 09:33 . 2010-01-12 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-12 09:33 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 09:33 . 2010-01-12 09:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 09:18 . 2010-01-12 09:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\IsolatedStorage
2010-01-12 09:18 . 2010-01-12 09:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Application Data\HP
2010-01-12 09:18 . 2010-01-12 09:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\HP
2010-01-12 09:18 . 2010-01-12 09:18 145 ----a-w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\fusioncache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 09:32 . 2005-12-01 16:06 -------- d-----w- c:\program files\Network Associates
2010-01-18 09:32 . 2005-12-01 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2010-01-12 23:45 . 2005-12-01 15:27 132968 -c--a-w- c:\documents and settings\WIIAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 19:24 . 2007-07-18 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 19:15 . 2007-07-18 15:13 -------- d-----w- c:\program files\Microsoft Works
2010-01-12 18:52 . 2005-11-30 18:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 12:19 . 2005-11-30 17:41 -------- d-----w- c:\program files\Java
2010-01-12 10:28 . 2009-05-20 17:17 -------- d-----w- c:\program files\Angle Interactive
2009-12-31 18:46 . 2008-04-10 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2009-10-29 07:46 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-02-27 08:31 . 2009-02-27 08:31 50688 -csha-w- c:\windows\system32\beyobusu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 64306 -csha-w- c:\windows\system32\jawuzela.dll
2009-02-27 08:31 . 2009-02-27 08:31 50688 -csha-w- c:\windows\system32\jazukimo.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 65673 -csha-w- c:\windows\system32\kivizazu.dll.tmp
2009-01-09 13:05 . 2009-01-09 13:05 71168 -csha-w- c:\windows\system32\kivumolo.dll.tmp
2009-01-07 12:02 . 2009-01-07 12:02 68608 -csha-w- c:\windows\system32\laraletu.dll.tmp
2009-01-15 10:13 . 2009-01-15 10:13 69120 -csha-w- c:\windows\system32\ligalijo.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 62017 -csha-w- c:\windows\system32\mopidozu.dll.tmp
2009-02-27 08:31 . 2009-02-27 08:31 50688 -csha-w- c:\windows\system32\povisema.dll.tmp
2009-01-09 13:05 . 2009-01-09 13:05 71168 -csha-w- c:\windows\system32\relipasi.dll.tmp
2009-01-21 13:55 . 1601-01-01 00:12 133392 -csha-w- c:\windows\system32\telowewa.dll
2009-01-20 07:34 . 1601-01-01 00:12 100643 -csha-w- c:\windows\system32\tojedela.dll
1601-01-01 00:12 . 1601-01-01 00:12 62017 -csha-w- c:\windows\system32\vepujoto.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 62017 -csha-w- c:\windows\system32\vinomisu.dll.tmp
1601-01-01 00:12 . 1601-01-01 00:12 64306 -csha-w- c:\windows\system32\viyogula.dll
2009-02-15 09:16 . 2009-02-15 09:16 71168 -csha-w- c:\windows\system32\vororeni.dll.tmp
2009-01-15 10:13 . 2009-01-15 10:13 69120 -csha-w- c:\windows\system32\voyuvofe.dll.tmp
2009-07-29 10:57 . 2009-04-29 10:57 178688 -csha-w- c:\windows\system32\vulojedu.dll
2009-01-07 12:02 . 2009-01-07 12:02 68608 -csha-w- c:\windows\system32\vunahate.dll.tmp
2009-04-27 13:17 . 2009-04-27 13:17 81408 -csha-w- c:\windows\system32\zotemiso.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-20 339968]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-21 126976]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-12 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\alletv\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-2-20 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-11-30 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\alle32.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=
"%windir%\\system32\\lsass.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/08/2007 12:31 682232]
R2 AM.EventService;Access Manager Event Service;c:\program files\Remote Services\AM.utEventServer.exe [14/09/2006 19:54 28672]
R2 AM.ScriptService;Access Manager Script Service;c:\program files\Remote Services\AM.blScriptEngine.exe [14/09/2006 19:54 28672]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [23/03/2004 12:03 35685]
R2 MCIMonitor;MCI Monitor Service;c:\program files\Remote Services\WENGINE\wmonitor.exe [24/01/2006 15:07 69696]
R3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver;c:\windows\system32\drivers\BW2NDIS5.SYS [02/11/2004 22:33 17536]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [23/03/2004 12:03 1912693]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [19/12/2005 21:03 80384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [02/09/2004 12:30 32640]
S3 AM.InstallService;Access Manager Install Service;c:\program files\Remote Services\AM.InstallService.exe [14/09/2006 19:54 81920]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wilber.wescast.com/
uInternet Connection Wizard,ShellNext = hxxp://wilber.wescast.com/
uInternet Settings,ProxyServer = proxy.wescast.com:8080
uInternet Settings,ProxyOverride = 10.*.*.*;*.wescast.com;192.168.*.*;<local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-TweakUI - c:\windows\rundll32.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 10:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8A4CA8A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74cbf28
\Driver\ACPI -> ACPI.sys @ 0xf725ecb8
\Driver\atapi -> atapi.sys @ 0xf71d5b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
ParseProcedure -> ntkrnlpa.exe @ 0x80577c84
NDIS: Intel® PRO/Wireless 2200BG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf70debb0
PacketIndicateHandler -> NDIS.sys @ 0xf70cda0d
SendHandler -> NDIS.sys @ 0xf70e1b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2928179332-396987703-3025235683-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,ef,8a,d6,19,ea,98,41,ac,0f,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,ef,8a,d6,19,ea,98,41,ac,0f,b8,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\windows\system32\IWPDGINA.DLL
c:\program files\Intel\Wireless\Bin\SsoGnENU.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\AGRSMMSG.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\HPZinw12.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2010-01-18 10:22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-18 10:22

Pre-Run: 47,080,751,104 bytes free
Post-Run: 47,599,734,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - CAB1C8B72EAA755DF9EC20359A687E70


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:06 PM

Posted 18 January 2010 - 01:46 PM

Hi Tim Moll,

You need to disable your McAfee VirusScan Enterprise Antivirus before running ComboFix, as it will prevent it from running.

If you cant disable it, then you will have to unisntall it.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\windows\system32\beyobusu.dll.tmp
c:\windows\system32\jawuzela.dll
c:\windows\system32\jazukimo.dll.tmp
c:\windows\system32\kivizazu.dll.tmp
c:\windows\system32\kivumolo.dll.tmp
c:\windows\system32\laraletu.dll.tmp
c:\windows\system32\ligalijo.dll.tmp
c:\windows\system32\mopidozu.dll.tmp
c:\windows\system32\povisema.dll.tmp
c:\windows\system32\relipasi.dll.tmp
c:\windows\system32\telowewa.dll
c:\windows\system32\tojedela.dll
c:\windows\system32\vepujoto.dll.tmp
c:\windows\system32\vinomisu.dll.tmp
c:\windows\system32\viyogula.dll
c:\windows\system32\vororeni.dll.tmp
c:\windows\system32\voyuvofe.dll.tmp
c:\windows\system32\vulojedu.dll
c:\windows\system32\vunahate.dll.tmp
c:\windows\system32\zotemiso.dll.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
The combofix log can also be found at C:\ComboFix.txt.



If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 18 January 2010 - 02:51 PM

QUOTE(SifuMike @ Jan 18 2010, 06:46 PM) View Post
Hi Tim Moll,

You need to disable your McAfee VirusScan Enterprise Antivirus before running ComboFix, as it will prevent it from running.

If you cant disable it, then you will have to unisntall it.


Hi Mike,

I am a little confussed as I HAVE uninstalled McAfee.....is it showing as still being installed?

Tim

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:06 PM

Posted 18 January 2010 - 02:56 PM



If you uninstalled it then you can proceed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 18 January 2010 - 04:33 PM

Hi Mike,

I have done as requested and attach the log below. One question I have is is it normal for ComoFix to say it has to upload some files to a server while doing this operation? Also I got a prompt up to say there is a newer version of ComboFix did I want to download it, I said no to this I hope this was correct thing to do?

Thanks,

Tim

ComboFix 10-01-17.02 - Administrator 18/01/2010 21:20:37.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1535.1089 [GMT 0:00]
Running from: c:\documents and settings\Administrator.WII91R0R\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.WII91R0R\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\beyobusu.dll.tmp"
"c:\windows\system32\jawuzela.dll"
"c:\windows\system32\jazukimo.dll.tmp"
"c:\windows\system32\kivizazu.dll.tmp"
"c:\windows\system32\kivumolo.dll.tmp"
"c:\windows\system32\laraletu.dll.tmp"
"c:\windows\system32\ligalijo.dll.tmp"
"c:\windows\system32\mopidozu.dll.tmp"
"c:\windows\system32\povisema.dll.tmp"
"c:\windows\system32\relipasi.dll.tmp"
"c:\windows\system32\telowewa.dll"
"c:\windows\system32\tojedela.dll"
"c:\windows\system32\vepujoto.dll.tmp"
"c:\windows\system32\vinomisu.dll.tmp"
"c:\windows\system32\viyogula.dll"
"c:\windows\system32\vororeni.dll.tmp"
"c:\windows\system32\voyuvofe.dll.tmp"
"c:\windows\system32\vulojedu.dll"
"c:\windows\system32\vunahate.dll.tmp"
"c:\windows\system32\zotemiso.dll.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\beyobusu.dll.tmp
c:\windows\system32\jawuzela.dll
c:\windows\system32\jazukimo.dll.tmp
c:\windows\system32\kivizazu.dll.tmp
c:\windows\system32\kivumolo.dll.tmp
c:\windows\system32\laraletu.dll.tmp
c:\windows\system32\ligalijo.dll.tmp
c:\windows\system32\mopidozu.dll.tmp
c:\windows\system32\povisema.dll.tmp
c:\windows\system32\relipasi.dll.tmp
c:\windows\system32\telowewa.dll
c:\windows\system32\tojedela.dll
c:\windows\system32\vepujoto.dll.tmp
c:\windows\system32\vinomisu.dll.tmp
c:\windows\system32\viyogula.dll
c:\windows\system32\vororeni.dll.tmp
c:\windows\system32\voyuvofe.dll.tmp
c:\windows\system32\vulojedu.dll
c:\windows\system32\vunahate.dll.tmp
c:\windows\system32\zotemiso.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-12-18 to 2010-01-18 )))))))))))))))))))))))))))))))
.

2010-01-18 09:26 . 2010-01-18 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-17 18:18 . 2010-01-17 18:27 -------- d-----w- C:\rsit
2010-01-17 18:18 . 2010-01-17 18:27 -------- d-----w- c:\program files\trend micro
2010-01-14 09:22 . 2010-01-14 09:22 -------- d-----w- c:\documents and settings\alletv\Tracing
2010-01-13 14:57 . 2010-01-13 14:57 -------- d-----w- c:\documents and settings\alletv\Application Data\Malwarebytes
2010-01-13 13:15 . 2010-01-13 13:15 -------- d-----w- c:\documents and settings\alletv\Application Data\webex
2010-01-13 13:13 . 2010-01-13 13:14 -------- d-----w- c:\program files\WebEx
2010-01-13 12:24 . 2010-01-13 12:24 -------- d-sh--w- c:\documents and settings\alletv\IECompatCache
2010-01-13 12:24 . 2010-01-13 12:24 -------- d-sh--w- c:\documents and settings\alletv\PrivacIE
2010-01-13 12:22 . 2010-01-13 12:22 -------- d-sh--w- c:\documents and settings\alletv\IETldCache
2010-01-13 00:10 . 2010-01-18 10:45 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Tracing
2010-01-13 00:07 . 2010-01-13 00:07 -------- d-----w- c:\program files\Microsoft
2010-01-13 00:07 . 2010-01-13 00:07 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-01-13 00:06 . 2010-01-13 00:07 -------- d-----w- c:\program files\Windows Live
2010-01-12 23:48 . 2010-01-12 23:48 -------- d-----w- c:\program files\Common Files\Windows Live
2010-01-12 19:22 . 2010-01-12 19:22 -------- d-----w- c:\windows\ie8updates
2010-01-12 19:09 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-01-12 19:09 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-01-12 18:47 . 2010-01-12 18:47 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-12 18:46 . 2010-01-12 18:47 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\Adobe
2010-01-12 18:36 . 2010-01-12 18:36 -------- d-sh--w- c:\documents and settings\Administrator.WII91R0R\IECompatCache
2010-01-12 18:35 . 2010-01-12 18:35 -------- d-sh--w- c:\documents and settings\Administrator.WII91R0R\PrivacIE
2010-01-12 18:31 . 2010-01-12 18:31 -------- d-sh--w- c:\documents and settings\Administrator.WII91R0R\IETldCache
2010-01-12 18:12 . 2010-01-12 18:12 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-01-12 17:59 . 2010-01-12 17:59 -------- d-----w- c:\program files\MSXML 4.0
2010-01-12 17:47 . 2010-01-12 17:49 -------- dc-h--w- c:\windows\ie8
2010-01-12 17:41 . 2010-01-12 17:41 -------- d-----w- c:\windows\system32\zh-HK
2010-01-12 17:31 . 2010-01-12 17:31 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\Microsoft Help
2010-01-12 17:09 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-01-12 17:09 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-01-12 17:09 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-01-12 17:09 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-01-12 17:09 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2010-01-12 17:09 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-01-12 17:09 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-01-12 17:09 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-01-12 17:09 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-01-12 17:09 . 2009-08-04 20:44 2189184 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-01-12 17:08 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-01-12 17:08 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-01-12 17:06 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2010-01-12 17:06 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-01-12 17:05 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-01-12 17:05 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-01-12 17:04 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-01-12 12:22 . 2010-01-12 12:22 -------- d-----w- c:\windows\Sun
2010-01-12 12:20 . 2010-01-12 12:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-12 12:19 . 2010-01-12 12:19 152576 ----a-w- c:\documents and settings\Administrator.WII91R0R\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-12 12:17 . 2010-01-12 12:17 79488 ----a-w- c:\documents and settings\Administrator.WII91R0R\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-12 12:12 . 2010-01-12 12:12 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\.java
2010-01-12 11:10 . 2010-01-12 11:11 -------- d-----w- C:\bd8dd3836c128a434c006ec0adb5
2010-01-12 11:10 . 2010-01-12 16:34 -------- d-----w- c:\windows\SxsCaPendDel
2010-01-12 09:33 . 2010-01-12 09:33 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Application Data\Malwarebytes
2010-01-12 09:33 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-12 09:33 . 2010-01-12 09:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-12 09:33 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-12 09:33 . 2010-01-12 09:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-12 09:18 . 2010-01-12 09:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\IsolatedStorage
2010-01-12 09:18 . 2010-01-12 09:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Application Data\HP
2010-01-12 09:18 . 2010-01-12 09:18 -------- d-----w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\HP
2010-01-12 09:18 . 2010-01-12 09:18 145 ----a-w- c:\documents and settings\Administrator.WII91R0R\Local Settings\Application Data\fusioncache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-18 09:32 . 2005-12-01 16:06 -------- d-----w- c:\program files\Network Associates
2010-01-18 09:32 . 2005-12-01 16:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Network Associates
2010-01-12 23:45 . 2005-12-01 15:27 132968 -c--a-w- c:\documents and settings\WIIAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-12 19:24 . 2007-07-18 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 19:15 . 2007-07-18 15:13 -------- d-----w- c:\program files\Microsoft Works
2010-01-12 18:52 . 2005-11-30 18:19 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-12 12:19 . 2005-11-30 17:41 -------- d-----w- c:\program files\Java
2010-01-12 10:28 . 2009-05-20 17:17 -------- d-----w- c:\program files\Angle Interactive
2009-12-31 18:46 . 2008-04-10 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:46 . 2009-10-29 07:46 78336 ------w- c:\windows\system32\ieencode.dll
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-20 339968]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-12-08 184320]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 106544]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-13 88209]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-21 126976]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 696320]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-12 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\alletv\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-2-20 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2005-11-30 184320]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\alle32.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe"=
"c:\\WINDOWS\\system32\\HPZipm12.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=
"%windir%\\system32\\lsass.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 AM.EventService;Access Manager Event Service;c:\program files\Remote Services\AM.utEventServer.exe [14/09/2006 19:54 28672]
R2 AM.ScriptService;Access Manager Script Service;c:\program files\Remote Services\AM.blScriptEngine.exe [14/09/2006 19:54 28672]
R2 CdpPacket;Cisco Discovery Protocol Packet Driver;c:\windows\system32\drivers\CdpPacket.sys [23/03/2004 12:03 35685]
R2 MCIMonitor;MCI Monitor Service;c:\program files\Remote Services\WENGINE\wmonitor.exe [24/01/2006 15:07 69696]
R3 BW2NDIS5;BW2NDIS5 NDIS Protocol Driver;c:\windows\system32\drivers\BW2NDIS5.SYS [02/11/2004 22:33 17536]
R3 Cpmt;Cisco Media Termination;c:\windows\system32\drivers\Cpmt.sys [23/03/2004 12:03 1912693]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [19/12/2005 21:03 80384]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [02/09/2004 12:30 32640]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22/08/2007 12:31 682232]
S3 AM.InstallService;Access Manager Install Service;c:\program files\Remote Services\AM.InstallService.exe [14/09/2006 19:54 81920]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wilber.wescast.com/
uInternet Connection Wizard,ShellNext = hxxp://wilber.wescast.com/
uInternet Settings,ProxyServer = proxy.wescast.com:8080
uInternet Settings,ProxyOverride = 10.*.*.*;*.wescast.com;192.168.*.*;<local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-18 21:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2928179332-396987703-3025235683-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,ef,8a,d6,19,ea,98,41,ac,0f,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ff,ef,8a,d6,19,ea,98,41,ac,0f,b8,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\windows\system32\IWPDGINA.DLL
c:\program files\Intel\Wireless\Bin\SsoGnENU.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-01-18 21:27:09
ComboFix-quarantined-files.txt 2010-01-18 21:27
ComboFix2.txt 2010-01-18 10:22

Pre-Run: 47,594,442,752 bytes free
Post-Run: 47,560,261,632 bytes free

- - End Of File - - 87DB37E030FC56DDF6D3E5C08365B9A5


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:06 PM

Posted 18 January 2010 - 05:29 PM

Hi Tim Moll,

QUOTE
One question I have is is it normal for ComoFix to say it has to upload some files to a server while doing this operation?


Yes

QUOTE
Also I got a prompt up to say there is a newer version of ComboFix did I want to download it, I said no to this I hope this was correct thing to do?


No, you should have let it download the newer version.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
    Please download Java Version 6 Update 17
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0-
    Java 2 Runtime Environment Standard Edition v1.3.1_03

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.

Please make sure you turn on the Java Automatic Update Feature
http://java.com/en/download/help/java_update.xml#howto

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

************


We need to scan for Rootkits with GMER
  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Close any and all open programs, as this process may crash your computer.
  3. Double click or on your desktop.
  4. Allow the gmer.sys driver to load if asked.
  5. You may see this window. If you do, click No.

    [field name="Additional Instructions" lines=20]
  6. Click on and wait for the scan to finish.
  7. If you see a rootkit warning window, click OK.
  8. Push and save the logfile to your desktop.
  9. Copy and Paste the contents of that file in your next post.



If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users