Rootkit.Agent.DW.trojan Help needed! [RESOLVED]

(2 Pages)
1
2
→

Join to reply or start a new topic
This topic is locked

Rootkit.Agent.DW.trojan Help needed! [RESOLVED]

#1 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 29 July 2007 - 02:37 PM

Hello there,

I'm having hard time trying to get rid of several infections on my Windows XP system.
Firstly I was getting blue death screen when logging in, I could log only in safe mode only. After running HijackThis and removing several Winlogon Notify I successfully logged on. I also removed everything that NOD32 v2.7 suggested me to remove.

Now, everytime I log in NOD32 reports:
1) infection in c:\windows\system32\drivers\runtime.sys as Rootkit.Agent.DW.trojan from windows\temp\startdrv.exe
2) infection in c:\windows\system32\drivers\ip6fw.sys as Rootkit.Agent.DP.trojan from explorer.exe
3) infection in c:\documents and settings\xxx\local settings\temp\93584.exe as Wigon.Z trojan from iexplorer.exe (name 93584.exe changes everytime I log in)

* Although NOD32 removed these infections they revert back as soon as I log in again.
* When I try to go on any web site in Internet Explorer NOD32 reports that someone is trying to fetch 83122.exe.
* Infection runs invisible IExplorer.exe process and pumps hundreds of SMTP requests utilizing my bandwidth.
* With IceSword in System Service Descriptor Table I've got red highlighter "\SystemRoot\system32\drivers\runtime2.sys" (it is not visible on that location)

------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:32:46 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\webex\webex\350\atonecli.dll (HKCU)
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\webex\webex\350\atonecli.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.banca...ilDLL/FSINT.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120655925379
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.banca...LL/SGCMSCCD.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB90BB4-63DE-410D-ADBF-B1BDFBE775EE}: NameServer = 82.117.194.2,82.117.194.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C7BC31-4BA7-4F8A-BED7-825B6E9FF991}: NameServer = 82.117.194.2,82.117.194.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Business Objects Change Notificator Service - Ivan Celeketic, Emir Sadikovic, Milan Simic - c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server FullText Search (THINKPADSQL2005) (msftesql$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:THINKPADSQL2005 (file missing)
O23 - Service: SQL Server Analysis Services (THINKPADSQL2005) (MSOLAP$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: MSSQL$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlservr.exe" -sMSDE (file missing)
O23 - Service: SQL Server (THINKPADSQL2005) (MSSQL$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sTHINKPADSQL2005 (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlagent.EXE" -i MSDE (file missing)
O23 - Service: SQL Server Agent (THINKPADSQL2005) (SQLAgent$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i THINKPADSQL2005 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

------------------------------------------------------------

Please help ASAP!

ngm

#2 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 29 July 2007 - 03:16 PM

I did ComboFix scan and here's log from it:

"" - 2007-07-29 22:54:37 [GMT 2:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\HijackThis\backups\backup-20070729-195300-651.dll
C:\Recyclers
C:\Recyclers\svchost.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atarm.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atas32.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atasanot.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atasctrl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atasnt40.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atcarmcl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atdl2006.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atjpeg60.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atkbctl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atlchat.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atmemmgr.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atnetext.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atpack.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atres.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\attp.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\atwbxui5.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\ieatgpc.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwm.ini
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmcliun.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmie.bak
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmie.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmim.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmoi.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmoibak.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmpad.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmproxy.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmres.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmres1.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmtrace.txt
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\mwmupd.exe
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\ratrace.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\raurl.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\uilibres.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\wbxcrypt.dll
C:\WINDOWS\DOWNLO~1.\MyWebEx\419\webexmgr.dll
C:\WINDOWS\system32\9_exception.nls
C:\WINDOWS\system32\b06FdUe
C:\WINDOWS\system32\config\systemprofile\application data\.rdr.ini
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsintcc.exe
C:\WINDOWS\system32\Y0
C:\WINDOWS\system32\Y1
C:\WINDOWS\wr.txt

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ASC3550U
-------\LEGACY_ICF
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ICF
-------\kprof
-------\poof
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))

2007-07-29 22:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-29 20:28 14,336 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-29 02:36 359,808 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-07-29 01:53 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-07-29 01:53 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-07-29 01:53 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-07-28 20:28 <DIR> d-------- C:\WINDOWS\Web Download
2007-07-28 13:00 <DIR> d-------- C:\Program Files\iTunes
2007-07-28 13:00 <DIR> d-------- C:\Program Files\iPod
2007-07-28 12:58 <DIR> d-------- C:\Program Files\QuickTime
2007-07-28 12:56 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-28 12:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-28 12:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-22 21:10 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-07-22 20:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-22 20:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-22 18:29 102,400 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-07-22 18:29 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-07-22 18:29 <DIR> d-------- C:\Program Files\TechSmith
2007-07-22 18:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TechSmith
2007-07-22 06:31 <DIR> d-------- C:\Program Files\uTorrent
2007-07-22 06:30 <DIR> d-------- C:\DOCUME~1\MILANS~1\APPLIC~1\uTorrent
2007-07-04 19:21 <DIR> d-------- C:\Program Files\SCCSwitcher

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 18:00:19 -------- d-----w C:\Program Files\Messenger
2007-07-29 15:00:47 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-07-29 13:39:59 -------- d-----w C:\DOCUME~1\MILANS~1\APPLIC~1\Skype
2007-07-29 03:27:52 -------- d-----w C:\Program Files\Process Explorer
2007-07-29 02:49:59 -------- d-----w C:\Program Files\InterMute
2007-07-28 18:31:14 -------- d-----w C:\Program Files\Windows NT
2007-07-27 13:42:13 -------- d-----w C:\Program Files\FlashFXP
2007-07-25 01:04:07 -------- d-----w C:\Program Files\mIRC
2007-07-22 16:21:09 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-07-11 21:38:12 -------- d-----w C:\DOCUME~1\MILANS~1\APPLIC~1\Unyte
2007-06-17 20:25:44 -------- d-----w C:\Program Files\Skype
2007-06-17 20:25:41 -------- d-----w C:\Program Files\Common Files\Skype
2007-06-11 15:03:27 -------- d-----w C:\Program Files\HtmlCapture
2007-06-08 15:19:08 -------- d-----w C:\DOCUME~1\MILANS~1\APPLIC~1\Webex
2007-06-08 14:54:35 51,304 ----a-w C:\WINDOWS\system32\drivers\atnt40k.sys
2007-06-08 14:54:15 202,314 ----a-w C:\WINDOWS\system32\atasnt40.dll
2007-06-08 14:49:57 -------- d-----w C:\Program Files\webex
2007-06-08 12:19:18 -------- d-----w C:\Program Files\Atalasoft
2007-06-04 15:15:09 -------- d-----w C:\Program Files\MSDN
2007-06-04 00:38:59 -------- d-----w C:\Program Files\Fiddler
2007-06-03 22:18:31 -------- d-----w C:\Program Files\Microsoft Virtual PC
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2004-11-09 04:53]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2004-08-17 13:06]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 11:52]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 09:27]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2004-08-25 02:37]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2004-08-25 02:37]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2004-08-25 02:37]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-23 22:00]
"FRYMXINS"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" []
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-04 19:39]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-06-16 11:53]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-06-16 11:53]
"ISS_Certtool"="C:\Program Files\IBM\Security\certtool.exe" [2004-11-10 18:06]
"IBM_PWMGR"="C:\Program Files\IBM\Password Manager\pwmgr.exe" [2004-11-10 18:09]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-14 17:34]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-04-26 08:06 C:\WINDOWS\KHALMNPR.Exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 21:52]
"@"="" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-29 01:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Windows Services Edt"=dllrun32.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Windows Services Edt"=dllrun32.exe

C:\Documents and Settings\Milan Simic\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-06-17 09:03:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-03-06 18:28:53]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-14 04:44:14]
BTTray.lnk - C:\Program Files\IBM\Bluetooth Software\BTTray.exe [2004-01-20 20:15:12]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-01-13 23:28:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 2004-11-09 04:53 262144 C:\WINDOWS\system32\QConGina.dll

R0 c2scsi;c2scsi;C:\WINDOWS\system32\DRIVERS\c2scsi.sys
R0 GENERICSMB;IBM - Generic SMB Device Controller;C:\WINDOWS\system32\DRIVERS\smbgen.sys
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 Cdr4_XP;Cdr4_XP;C:\WINDOWS\system32\drivers\Cdr4_XP.sys
R1 Cdralw2k;Cdralw2k;C:\WINDOWS\system32\drivers\Cdralw2k.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS
R1 nod32drv;nod32drv;C:\WINDOWS\system32\drivers\nod32drv.sys
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys
R1 Smapint;Smapint;C:\WINDOWS\system32\drivers\Smapint.sys
R1 TDSMAPI;TDSMAPI;C:\WINDOWS\system32\drivers\TDSMAPI.SYS
R1 TermDD;Terminal Device Driver;C:\WINDOWS\system32\DRIVERS\termdd.sys
R1 TPHKDRV;TPHKDRV;C:\WINDOWS\system32\drivers\TPHKDRV.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R1 TSMAPIP;TSMAPIP;C:\WINDOWS\system32\drivers\TSMAPIP.SYS
R1 vmm;Virtual Machine Monitor;\??\C:\WINDOWS\system32\Drivers\vmm.sys
R2 Business Objects Change Notificator Service;Business Objects Change Notificator Service;c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
R2 EGATHDRV;IBM Access Support;\??\C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
R2 IISADMIN;IIS Admin;C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 msftesql$THINKPADSQL2005;SQL Server FullText Search (THINKPADSQL2005);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:THINKPADSQL2005
R2 MSSEARCH;Microsoft Search;"C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe"
R2 MSSQL$THINKPADSQL2005;SQL Server (THINKPADSQL2005);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sTHINKPADSQL2005
R2 smi2;smi2;\??\C:\WINDOWS\system32\drivers\smi2.sys
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R2 SQLBrowser;SQL Server Browser;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R2 VPCAppSv;Virtual PC Application Services;C:\WINDOWS\system32\DRIVERS\VPCAppSv.sys
R2 W3SVC;World Wide Web Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 wuauserv;Automatic Updates;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 AtmelTpm;AtmelTpm;C:\WINDOWS\system32\DRIVERS\AtmelTpm.sys
R3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys
R3 E1000;Intel® PRO/1000 Adapter Driver;C:\WINDOWS\system32\DRIVERS\e1000325.sys
R3 GEARAspiWDM;GEARAspiWDM;C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
R3 pfc;Padus ASPI Shell;C:\WINDOWS\system32\drivers\pfc.sys
R3 PptpMiniport;WAN Miniport (PPTP);C:\WINDOWS\system32\DRIVERS\raspptp.sys
R3 RasPppoe;Remote Access PPPOE Driver;C:\WINDOWS\system32\DRIVERS\raspppoe.sys
R3 Raspti;Direct Parallel;C:\WINDOWS\system32\DRIVERS\raspti.sys
R3 rdpdr;Terminal Server Device Redirector Driver;C:\WINDOWS\system32\DRIVERS\rdpdr.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SMBusDH;IBM - SMB Hub Controller;C:\WINDOWS\system32\DRIVERS\smbusdh.sys
R3 SMBusHC;SMBus Host Controller;C:\WINDOWS\system32\DRIVERS\smbushc.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 TermService;Terminal Services;C:\WINDOWS\System32\svchost -k DComLaunch
R3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 VPCNetS2;Virtual Machine Network Services Driver;C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 aec;Microsoft Kernel Acoustic Echo Canceller;C:\WINDOWS\system32\drivers\aec.sys
S3 aspnet_state;ASP.NET State Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 CA561;VideoCAM Express V2;C:\WINDOWS\system32\Drivers\SPCA561.SYS
S3 Dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\system32\DRIVERS\Dot4.sys
S3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
S3 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver;C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
S3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
S3 MQAC;Message Queuing access control;\??\C:\WINDOWS\System32\drivers\mqac.sys
S3 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 MSFtpsvc;FTP Publishing;C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys
S3 MSMQ;Message Queuing;C:\WINDOWS\System32\mqsvc.exe
S3 MSMQTriggers;Message Queuing Triggers;C:\WINDOWS\System32\mqtgsvc.exe
S3 MSOLAP$THINKPADSQL2005;SQL Server Analysis Services (THINKPADSQL2005);"C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config"
S3 MSSQL$MSDE;MSSQL$MSDE;"C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlservr.exe" -sMSDE
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 MSSQLServerOLAPService;MSSQLServerOLAPService;C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PORTMON;PORTMON;\??\C:\Program Files\PortMon\PORTMSYS.SYS
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS
S3 ReportServer$THINKPADSQL2005;SQL Server Reporting Services (THINKPADSQL2005);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe"
S3 RMCAST;Reliable Multicast Protocol driver;\??\C:\WINDOWS\System32\drivers\RMCast.sys
S3 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
S3 SQLAgent$MSDE;SQLAgent$MSDE;"C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlagent.EXE" -i MSDE
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR
S3 SQLAgent$THINKPADSQL2005;SQL Server Agent (THINKPADSQL2005);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i THINKPADSQL2005
S3 SysmonLog;Performance Logs and Alerts;C:\WINDOWS\system32\smlogsvc.exe
S3 TPPFX;USB Storage Adapter FX (TPP);C:\WINDOWS\system32\DRIVERS\TPPFX.SYS
S3 USBCM;Scientific Atlanta USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\Sacm2K.sys
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;C:\WINDOWS\system32\DRIVERS\sacmxp2.sys
S3 Visual Studio Analyzer RPC bridge;Visual Studio Analyzer RPC bridge;C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe
S3 VSPerfDrv;Performance Tools Driver;\??\C:\Program Files\Microsoft Visual Studio 8\Team Tools\Performance Tools\VSPerfDrv.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys
S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;C:\WINDOWS\system32\DRIVERS\SACMXP1.sys
S3 WmiApSrv;WMI Performance Adapter;C:\WINDOWS\System32\wbem\wmiapsrv.exe
S4 msupdate;Microsoft security update service;c:\windows\system32\msvcrtd.exe
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
S4 Packets;Packets;C:\WINDOWS\system32\dllcache\win32\services.exe /name:"Packets" /start:"lxsas.exe Xdcc.config"
S4 updates;updates;C:\WINDOWS\system32\dllcache\win32\services.exe /name:"updates" /start:"internet.exe"

Contents of the 'Scheduled Tasks' folder
2005-02-20 19:27:35 C:\WINDOWS\tasks\BMMTask.job
2007-07-27 14:00:00 C:\WINDOWS\tasks\{48349458-D3DD-4D63-8997-F5FE73F80D12}_THINKPAD_Milan Simic.job
2007-07-27 14:00:00 C:\WINDOWS\tasks\{7DF9D790-6287-49B5-98E2-20D3C262F210}_THINKPAD_Milan Simic.job
2007-07-27 07:00:00 C:\WINDOWS\tasks\{BDD1CC4E-B02C-4569-97D1-F0BAEBD0364B}_THINKPAD_Milan Simic.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 23:04:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\msftesql$THINKPADSQL2005]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:THINKPADSQL2005"

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MSOLAP$THINKPADSQL2005]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe\" -s \"C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config\""

Completion time: 2007-07-29 23:07:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-29 23:07

--- E O F ---

#3 MoNsTeReNeRgY22

Member 2k

Group: Member
Posts: 2,508
Joined: 28-January 07
Location:California
Operating System:Windows Vista Home Premium Edition

Posted 29 July 2007 - 03:53 PM

Hello and Welcome to Geeks to Go. :whistling:

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please give me some time to analyze your log, and I will post back with instructions ASAP.

Also, as I am still a trainee my posts must be approved before I can post them, therefore there may be a slight delay between my posts.

#4 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 29 July 2007 - 04:31 PM

Hello MoNsTeReNeRgY22,

Thanks for your prompt response.

Just brief note, after running ComboFix.exe which generated me a report shown in my previous post I'm not getting infection reports from NOD32 with:
1) infection in c:\windows\system32\drivers\runtime.sys as Rootkit.Agent.DW.trojan from windows\temp\startdrv.exe
2) infection in c:\windows\system32\drivers\ip6fw.sys as Rootkit.Agent.DP.trojan from explorer.exe
3) infection in c:\documents and settings\xxx\local settings\temp\93584.exe as Wigon.Z trojan from iexplorer.exe (name 93584.exe changes everytime I log in)

I do not have these symptoms as well:
* When I try to go on any web site in Internet Explorer NOD32 reports that someone is trying to fetch 83122.exe.
* Infection runs invisible IExplorer.exe process and pumps hundreds of SMTP requests utilizing my bandwidth.
* With IceSword in System Service Descriptor Table I've got red highlighter "\SystemRoot\system32\drivers\runtime2.sys" (it is not visible on that location)

Just please be so kind and double check these HiJackThis and ComboFix logs for me so that I'll be 100% sure everything's done correctly.

Awaiting for your instructions.

ngm

#5 MoNsTeReNeRgY22

Member 2k

Group: Member
Posts: 2,508
Joined: 28-January 07
Location:California
Operating System:Windows Vista Home Premium Edition

Posted 29 July 2007 - 04:45 PM

Hello Night Man NYC,

In the future, please don't fix lines by yourself in HJT. In the end, you might end up causing more bad than good.

1)Jotti File Submission:

Please go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe

Click on the submit button

Please post the results in your next reply.

2)Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

3)Download Deckard's System Scanner (DSS) to your Desktop.

Close all applications and windows.
Double-click on DSS.exe to run it, and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Extra Note: When running DSS, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags DSS as suspicious. Please allow the Deckard's System Scanner to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

4)In your next reply please post the following

Jotti Log
Blacklight Log
DSS Log

#6 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 29 July 2007 - 07:35 PM

MoNsTeReNeRgY22,

I appreciate your quick response to my issue.

Please note that under first item you stated, businessobjectschangenotificator.process.exe is a custom application of my company. In other words, its behaviour is well-known and it was sitting on my computer much longer than this problem persists.

Regarding Blacklight, it found nothing this time but before I started ComboFix (you've got its log in post above) Blacklight reported 1 hidden item and it was "c:\windows\system32\drivers\runtime2.sys".

Therefore ComboFix definitely has removed that Trojan or whatever it was however, I'm not sure if it has removed the Trojan fully and also I'm not sure if it has erased some other legitimate items.

Anyway, here are logs that you asked for. Additionally I include quarantined files list from ComboFix.

--- Blacklight Log ---

07/30/07 02:42:49 [Info]: BlackLight Engine 1.0.64 initialized
07/30/07 02:42:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/30/07 02:42:49 [Note]: 7019 4
07/30/07 02:42:49 [Note]: 7005 0
07/30/07 02:42:55 [Note]: 7006 0
07/30/07 02:42:55 [Note]: 7011 536
07/30/07 02:42:55 [Note]: 7026 0
07/30/07 02:42:55 [Note]: 7026 0
07/30/07 02:43:01 [Note]: FSRAW library version 1.7.1022
07/30/07 03:04:58 [Note]: 2000 1012
07/30/07 03:04:58 [Note]: 2000 1012
07/30/07 03:09:11 [Note]: 7007 0

------

--- Deckard's System Scanner Log ---

Deckard's System Scanner v20070729.57
Run by Milan Simic on 2007-07-30 at 03:10:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2007-07-30 01:10:51 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Milan Simic.exe) -----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:16:20 AM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\Documents and Settings\Milan Simic\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Milan Simic.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\webex\webex\350\atonecli.dll (HKCU)
O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\webex\webex\350\atonecli.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.banca...ilDLL/FSINT.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120655925379
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.banca...LL/SGCMSCCD.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mw...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB90BB4-63DE-410D-ADBF-B1BDFBE775EE}: NameServer = 82.117.194.2,82.117.194.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C7BC31-4BA7-4F8A-BED7-825B6E9FF991}: NameServer = 82.117.194.2,82.117.194.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Business Objects Change Notificator Service - Ivan Celeketic, Emir Sadikovic, Milan Simic - c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server FullText Search (THINKPADSQL2005) (msftesql$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:THINKPADSQL2005 (file missing)
O23 - Service: SQL Server Analysis Services (THINKPADSQL2005) (MSOLAP$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: MSSQL$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlservr.exe" -sMSDE (file missing)
O23 - Service: SQL Server (THINKPADSQL2005) (MSSQL$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sTHINKPADSQL2005 (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlagent.EXE" -i MSDE (file missing)
O23 - Service: SQL Server Agent (THINKPADSQL2005) (SQLAgent$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i THINKPADSQL2005 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070728-210954-496 O20 - Winlogon Notify: byxywvu - C:\WINDOWS\SYSTEM32\byxywvu.dll
backup-20070728-234630-116 O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
backup-20070728-234811-184 O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
backup-20070728-234811-327 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
backup-20070728-234811-342 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20070728-234811-432 O2 - BHO: (no name) - {78BD2971-EB54-4EE9-95F2-F6321B16AC85} - C:\WINDOWS\system32\byxywvu.dll (file missing)
backup-20070728-234811-464 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20070728-234811-490 O4 - HKLM\..\Run: [BillGatesLoh.exe] C:\WINDOWS\BillGatesLoh.exe
backup-20070728-234811-599 O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
backup-20070728-234811-642 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
backup-20070728-234811-731 O4 - HKLM\..\Run: [{F4-4A-AA-A4-ZN}] c:\windows\system32\dwdsregt.exe OLI001
backup-20070728-234811-818 O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
backup-20070728-234811-828 O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
backup-20070728-234811-930 O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
backup-20070728-235003-585 O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb106\res\DealioSearch.html
backup-20070728-235243-191 O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll (file missing)
backup-20070728-235243-249 O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb106\Dealio.dll (file missing)
backup-20070728-235248-214 O20 - Winlogon Notify: byxywvu - byxywvu.dll (file missing)
backup-20070728-235249-315 O20 - Winlogon Notify: winwsa32 - winwsa32.dll (file missing)
backup-20070729-013100-838 O21 - SSODL: VptiXveCh - {186F4AA5-B2C5-E00F-B38E-855A55CDA824} - C:\WINDOWS\system32\hzda.dll (file missing)
backup-20070729-013128-119 O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
backup-20070729-013848-306 O1 - Hosts: 66.98.148.65 auto.search.msn.es
backup-20070729-013848-911 O1 - Hosts: 66.98.148.65 auto.search.msn.com
backup-20070729-181323-379 O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
backup-20070729-183459-641 O23 - Service: updates - Unknown owner - C:\WINDOWS\system32\dllcache\win32\services.exe (file missing)
backup-20070729-183528-370 O23 - Service: Packets - Unknown owner - C:\WINDOWS\system32\dllcache\win32\services.exe (file missing)
backup-20070729-183558-795 O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
backup-20070729-183610-342 O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
backup-20070729-183622-597 O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
backup-20070729-183734-595 O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
backup-20070729-184551-665 O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe (file missing)
backup-20070729-184719-725 O4 - HKLM\..\RunServices: [Microsoft Windows Services Edt] dllrun32.exe
backup-20070729-184749-745 O4 - HKCU\..\RunServices: [Microsoft Windows Services Edt] dllrun32.exe
backup-20070729-191753-345 O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe (file missing)
backup-20070729-195300-651 O2 - BHO: (no name) - {BC54B4BE-3399-4F6A-ADC0-80509CBEDE5D} - C:\Program Files\Messenger\quro83122.dll

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 c2scsi - c:\windows\system32\drivers\c2scsi.sys <Not Verified; Roxio GmbH & Co KG, Wuerselen/Germany; Roxio CD/DVD Burning Software>
R0 Shockprf - c:\windows\system32\drivers\shockprf.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>
R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 ShockMgr - c:\windows\system32\drivers\shockmgr.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>
R1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
R1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
R2 EGATHDRV (IBM Access Support) - c:\windows\system32\egathdrv.sys <Not Verified; IBM Corporation; IBM eGatherer>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R2 smi2 - c:\windows\system32\drivers\smi2.sys <Not Verified; IBM Corp.; IBM SMI Bios driver>
R2 VPCAppSv (Virtual PC Application Services) - c:\windows\system32\drivers\vpcappsv.sys <Not Verified; Connectix Corporation; Virtual PC>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 catchme - c:\docume~1\milans~1\locals~1\temp\catchme.sys (file missing)
S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>
S3 PORTMON - c:\program files\portmon\portmsys.sys (file missing)
S3 QCNDISIF - c:\windows\system32\drivers\qcndisif.sys <Not Verified; IBM Corporation.; IBM ThinkPad Utility>
S3 TDIMSYS - c:\windows\system32\drivers\tdimsys.sys (file missing)
S3 TPPFX (USB Storage Adapter FX (TPP)) - c:\windows\system32\drivers\tppfx.sys <Not Verified; Cypress Semiconductor; TPP Storage Adapter>
S3 WebSTARNdis (WebSTAR DPX USB Cable Modem Adapter) - c:\windows\system32\drivers\webstar.sys <Not Verified; Scientific Atlanta; WebSTAR USB Cable Modem>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (ACU Configuration Service) - c:\windows\system32\acs.exe
R2 Business Objects Change Notificator Service - c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe <Not Verified; Ivan Celeketic, Emir Sadikovic, Milan Simic; Business Objects Change Notificator>
R2 IBM User Verification Manager - c:\program files\ibm\security\uvmserv.exe <Not Verified; IBM; IBM User Verification Manager Server>
R2 ibmsmbus (SMBus Upgrade Service for Windows 2000 and above) - c:\windows\system32\ibmsmbus.exe <Not Verified; International Business Machines Corp.; SMBus Package (Version 6.1.0.35)>
R2 MSSEARCH (Microsoft Search) - "c:\program files\common files\microsoft shared\mssearch\bin\mssearch.exe" <Not Verified; Microsoft Corporation; PKM>
R2 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe

S3 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S3 MSSQLServerOLAPService - c:\program files\microsoft analysis services\bin\msmdsrv.exe
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 SQLSERVERAGENT - c:\program files\microsoft sql server\mssql\binn\sqlagent.exe -i mssqlserver

-- Scheduled Tasks -------------------------------------------------------------

2007-07-27 16:00:00 406 --ah----- C:\WINDOWS\Tasks\{7DF9D790-6287-49B5-98E2-20D3C262F210}_THINKPAD_Milan Simic.job
2007-07-27 16:00:00 406 --ah----- C:\WINDOWS\Tasks\{48349458-D3DD-4D63-8997-F5FE73F80D12}_THINKPAD_Milan Simic.job
2007-07-27 09:00:00 406 --ah----- C:\WINDOWS\Tasks\{BDD1CC4E-B02C-4569-97D1-F0BAEBD0364B}_THINKPAD_Milan Simic.job
2005-02-20 21:27:35 646 --a------ C:\WINDOWS\Tasks\BMMTask.job

-- Files created between 2007-06-30 and 2007-07-30 -----------------------------

2007-07-30 00:25:08 0 d-------- C:\WINDOWS\LastGood
2007-07-29 01:53:00 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-07-28 20:28:41 0 d-------- C:\WINDOWS\Web Download
2007-07-28 13:06:39 1751 --a------ C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
2007-07-28 13:00:43 0 d-------- C:\Program Files\iPod
2007-07-28 13:00:34 0 d-------- C:\Program Files\iTunes
2007-07-28 12:58:24 0 d-------- C:\Program Files\QuickTime
2007-07-28 12:56:56 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-07-28 12:56:38 0 d-------- C:\Program Files\Common Files\Apple
2007-07-28 12:56:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-07-22 21:10:59 0 d-------- C:\WINDOWS\network diagnostic
2007-07-22 20:41:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-07-22 20:41:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-07-22 18:29:53 102400 --a------ C:\WINDOWS\system32\tsccvid.dll <Not Verified; TechSmith Corporation; TechSmith Screen Capture Codec>
2007-07-22 18:29:52 0 d-------- C:\WINDOWS\system32\QuickTime
2007-07-22 18:29:41 0 d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-07-22 18:29:23 0 d-------- C:\Program Files\TechSmith
2007-07-22 17:37:23 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-07-22 06:31:00 0 d-------- C:\Program Files\uTorrent
2007-07-22 06:30:51 0 d-------- C:\Documents and Settings\Milan Simic\Application Data\uTorrent
2007-07-04 19:21:19 0 d-------- C:\Program Files\SCCSwitcher

-- Find3M Report ---------------------------------------------------------------

2007-07-30 01:21:01 0 d-------- C:\Program Files\Process Explorer
2007-07-29 20:00:19 0 d-------- C:\Program Files\Messenger
2007-07-29 17:00:47 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-07-29 15:39:59 0 d-------- C:\Documents and Settings\Milan Simic\Application Data\Skype
2007-07-29 04:49:59 0 d-------- C:\Program Files\InterMute
2007-07-28 20:31:14 0 d-------- C:\Program Files\Windows NT
2007-07-28 12:56:38 0 d-------- C:\Program Files\Common Files
2007-07-27 15:42:13 0 d-------- C:\Program Files\FlashFXP
2007-07-26 17:05:43 0 d-------- C:\Documents and Settings\Milan Simic\Application Data\Adobe
2007-07-25 03:04:07 0 d-------- C:\Program Files\mIRC
2007-07-22 18:21:09 0 d-------- C:\Program Files\Windows Media Connect 2
2007-07-20 00:56:15 2528 --a------ C:\Documents and Settings\Milan Simic\Application Data\$_hpcst$.hpc
2007-07-11 23:38:12 0 d-------- C:\Documents and Settings\Milan Simic\Application Data\Unyte
2007-06-21 15:14:41 111922 --a------ C:\Documents and Settings\Milan Simic\Application Data\debuggee.mdmp
2007-06-17 22:25:44 0 d-------- C:\Program Files\Skype
2007-06-17 22:25:41 0 d-------- C:\Program Files\Common Files\Skype
2007-06-11 17:03:27 0 d-------- C:\Program Files\HtmlCapture
2007-06-08 17:19:08 0 d-------- C:\Documents and Settings\Milan Simic\Application Data\Webex
2007-06-08 16:54:15 202314 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2007-06-08 16:49:57 0 d-------- C:\Program Files\webex
2007-06-08 14:19:18 0 d-------- C:\Program Files\Atalasoft
2007-06-04 17:15:09 0 d-------- C:\Program Files\MSDN
2007-06-04 02:38:59 0 d-------- C:\Program Files\Fiddler
2007-06-04 00:18:31 0 d-------- C:\Program Files\Microsoft Virtual PC

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [11/09/2004 04:53 AM]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [08/17/2004 13:06 PM]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [04/01/2004 11:52 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [08/06/2004 09:27 AM]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [08/25/2004 02:37 AM]
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [08/25/2004 02:37 AM]
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [08/25/2004 02:37 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [10/23/2004 22:00 PM]
"FRYMXINS"="C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" []
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/04/2004 19:39 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/16/2004 11:53 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/16/2004 11:53 AM]
"ISS_Certtool"="C:\Program Files\IBM\Security\certtool.exe" [11/10/2004 18:06 PM]
"IBM_PWMGR"="C:\Program Files\IBM\Password Manager\pwmgr.exe" [11/10/2004 18:09 PM]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [07/14/2004 17:34 PM]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [04/26/2004 08:06 AM C:\WINDOWS\KHALMNPR.Exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 21:52 PM]
"@"="" []
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [07/29/2007 01:51 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 09:56 AM]
"TPKMAPMN"="C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [11/13/2006 13:39 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Windows Services Edt"=dllrun32.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Windows Services Edt"=dllrun32.exe

C:\Documents and Settings\Milan Simic\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [6/17/2004 9:03:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [3/6/2007 18:28:53]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/14/2005 4:44:14]
BTTray.lnk - C:\Program Files\IBM\Bluetooth Software\BTTray.exe [1/20/2004 20:15:12]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [1/13/2005 23:28:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 11/09/2004 04:53 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - PROCEXP100

-- End of Deckard's System Scanner: finished at 2007-07-30 at 03:16:46 ---------

Deckard's System Scanner v20070729.57
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1700MHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 2046.86 MiB / 1408.15 MiB
Pagefile Memory (total/avail): 3431.95 MiB / 3001.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.66 MiB

C: is Fixed (NTFS) - 149.05 GiB total, 24.77 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Milan Simic\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=THINKPAD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Milan Simic
INCLUDE=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
LIB=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
LOGONSERVER=\\THINKPAD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\Fire GL 3D Studio Max;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MILANS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MILANS~1\LOCALS~1\Temp
USERDOMAIN=THINKPAD
USERNAME=Milan Simic
USERPROFILE=C:\Documents and Settings\Milan Simic
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Milan Simic (admin)
ASPNET
Daca
Test Usr
Administrator (admin)
emir (admin)
Emirs (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> MsiExec.exe /I{002EA3F8-1109-4AAE-A874-7BC121B02D2A}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /X{CBECA9AB-F4DD-4798-979C-AD08F1814803}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
.NET Compact Framework-based PInvoke Library Sample --> MsiExec.exe /X{F8E1E299-B2D3-4F79-89E1-3B53EEBE5A93}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2d3 SteadyMove for Adobe Premiere Pro --> MsiExec.exe /I{94118D5F-2D5D-4BF5-9F84-11FB8A97B566}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Access IBM Message Center --> MsiExec.exe /X{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}
ACDSee 6.0 PowerPack --> MsiExec.exe /I{38A0BB97-772D-422E-BCCA-4BA2A5D81F42}
Ad-aware 6 Plus --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Premiere Pro --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{084709F7-38C5-4609-B55F-2417939315EB}\setup.exe"
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Reader for Pocket PC 2.0 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{291A772C-FFB9-4681-B720-AB2A0A620896}
Advanced Task Manager 3.0 --> "C:\Program Files\Innovative Solutions\Advanced Task Manager 3\unins000.exe"
AdventureWorksBICI --> MsiExec.exe /I{A90036CE-E7B2-4C42-B52D-B2843BC31884}
AdventureWorksDBCI --> MsiExec.exe /I{7D95B533-4BA1-4EED-8096-EFCB6DD6B95F}
Agere Systems AC'97 Modem --> agrsmdel
AlphaMagic Gradients for Hollywood FX PRO --> C:\WINDOWS\unvise32.exe C:\WINDOWS\unalphamagic.log
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
Atalasoft DotImage 4.0 SDK --> "C:\Documents and Settings\All Users\Application Data\{F099DA36-CF75-43E5-90BE-D3998A06CC8B}\DotImageIAInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Atalasoft DotTwain 2.1 SDK --> "C:\Documents and Settings\All Users\Application Data\{0F5CA2B3-FEBC-4D30-9718-916B7BE48450}\DotTwainIAInstaller.exe" REMOVE=TRUE MODIFY=FALSE
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Camtasia Studio 4 --> MsiExec.exe /I{1C6D9FD0-8BE2-4226-8D9F-4929CBC1C396}
Canon PowerShot A30 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A30 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A30 WIA\UNSTE114.dll"
CorelDRAW Graphics Suite 12 --> MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Emulator Driver for Visual Studio .NET 2003 --> MsiExec.exe /X{C1446F2B-8B97-45AC-89A7-C40BE59284B8}
EngleskiRecnikER300 --> MsiExec.exe /I{63C5C836-5673-4E00-B165-7096C9E4F6A5}
EnvelopeV2 --> MsiExec.exe /I{A9C5C4C8-90B2-472D-89B9-A1262F02E86B}
Fiddler (remove only) --> "C:\Program Files\Fiddler\uninst.exe"
FireGL driver for 3D Studio MAX/VIZ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5AEBFD6-3AF9-4784-81C2-F442C86AA096}\setup.exe"
FlashFXP --> C:\PROGRA~1\FlashFXP\UNWISE.EXE C:\PROGRA~1\FlashFXP\INSTALL.LOG
FlashGet(JetCar) --> C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp color LaserJet 2550 series --> MsiExec.exe /x {7ABD6243-A825-46AE-B1B4-B5AE845AA7A9}
HP Software Update --> MsiExec.exe /X{90B5E602-1867-449D-86FD-FC9DEA4434BF}
HP USB Disk Storage Format Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}\Setup.exe" -l0x9
HtmlCapture ActiveX Control 1.0 --> "C:\Program Files\HtmlCapture\unins000.exe"
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\setup.exe" -l0x9 anything
IBM Active Protection System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72806716-7088-41B2-8FA6-717A2A164DAB}\setup.exe" -l0x9 anything
IBM Client Security Software 5.41.104.0 --> MsiExec.exe /I{B193BF4A-EF82-4D29-93B8-C5005626CEC8}
IBM File and Folder Encryption 2.10.009.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2ECDC9BE-A1AB-491F-A4E0-5C0E4232B8ED}\Setup.exe" -l0x9
IBM Integrated Bluetooth II Software --> MsiExec.exe /X{E98D6792-FC51-4187-9448-CA9BF893384E}
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\UNTPUW.ISU" -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\setup.exe" -l0x9 anything
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
IBM Update Connector --> MsiExec.exe /X{8D815BF3-2399-459C-B121-49373FEFB9E8}
IBM Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}\SETUP.EXE" -l0x9 UNINSTALLFROMSYS
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{16906D21-0656-4F8B-9A01-C3D24B5401FC}
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
Macromedia Flash Player --> MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Analysis Services Samples (Updated - SP3) --> MsiExec.exe /I{14CCB6D9-7D38-4555-AF95-457C44E65473}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access 2003 Developer Extensions --> MsiExec.exe /I{90D00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{90A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Pocket PC 2003 SDK --> MsiExec.exe /X{4BA6C9AC-B6BA-4B0D-AB8D-71B2B19D4AA3}
Microsoft Smartphone 2003 SDK --> MsiExec.exe /X{E6D082ED-25E7-4EE2-A153-797FD7945774}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL\sqlsun.dll" -msql.mif i=MSSQLSERVER
Microsoft SQL Server 2000 Analysis Services --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Microsoft Analysis Services\uninst.isu" -c"C:\Program Files\Microsoft Analysis Services\uninst.dll"
Microsoft SQL Server 2000 Samples (Updated - SP3) --> MsiExec.exe /I{3DE1A9C4-5D37-4716-B0F4-7D980EF405C6}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 (THINKPADSQL2005) --> MsiExec.exe /I{2373A92B-1C1C-4E71-B494-5CA97F96AA19}
Microsoft SQL Server 2005 Analysis Services (THINKPADSQL2005) --> MsiExec.exe /I{982DB00A-9C4E-436B-8707-18E113BAA44C}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{69880C00-08DD-4385-B752-9C62656F6D1E}
Microsoft SQL Server 2005 Books Online (English) (May 2007) --> MsiExec.exe /I{724FC607-AA4A-4F32-AC1D-88B7EDA6CA85}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2005 Compact Edition Books Online [ENU] --> MsiExec.exe /I{60A57730-A087-1033-8F5A-C72D3DD9DE89}
Microsoft SQL Server 2005 Compact Edition Developer Software Development Kit [ENU] --> MsiExec.exe /I{50A57730-A087-1033-8F5A-C72D3DD9DE89}
Microsoft SQL Server 2005 Compact Edition Tools for Visual Studio 2005 [ENU] --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Integration Services --> MsiExec.exe /I{E0A41F96-7231-4AE8-A654-EEB34F935462}
Microsoft SQL Server 2005 Notification Services --> MsiExec.exe /I{63A5DC0D-1EDD-4D69-8F31-87FAEB1F7084}
Microsoft SQL Server 2005 Reporting Services (THINKPADSQL2005) --> MsiExec.exe /I{3BDB182E-8371-46BD-AC39-C14A91D5EEF8}
Microsoft SQL Server 2005 Samples --> MsiExec.exe /I{DDF6E319-BCD9-4FE3-9D69-26B2F47BEF7C}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{90032DD0-ABEE-4424-AC1E-B076BDD4E350}
Microsoft SQL Server Desktop Engine (MSDE) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{689404D2-1C94-44B3-9203-BEC5594FDA7A}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visio for Enterprise Architects [English] --> MsiExec.exe /I{90560409-6D54-11D4-BEE3-00C04F990354}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package

#7 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 29 July 2007 - 07:38 PM

It's been truncated... so I continue...

Deckard's System Scanner v20070729.57
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1700MHz
Percentage of Memory in Use: 31%
Physical Memory (total/avail): 2046.86 MiB / 1408.15 MiB
Pagefile Memory (total/avail): 3431.95 MiB / 3001.71 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.66 MiB

C: is Fixed (NTFS) - 149.05 GiB total, 24.77 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"="C:\\Program Files\\IBM\\Updater\\ucsmb.exe:*:Enabled:IBM Update Connector"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Milan Simic\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=THINKPAD
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Milan Simic
INCLUDE=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\include\
LIB=C:\Program Files\Microsoft Visual Studio .NET 2003\SDK\v1.1\Lib\
LOGONSERVER=\\THINKPAD
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\PROGRAM FILES\THINKPAD\UTILITIES;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\ATI Technologies\Fire GL 3D Studio Max;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MILANS~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\MILANS~1\LOCALS~1\Temp
USERDOMAIN=THINKPAD
USERNAME=Milan Simic
USERPROFILE=C:\Documents and Settings\Milan Simic
VS71COMNTOOLS=C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\Tools\
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Milan Simic (admin)
ASPNET
Daca
Test Usr
Administrator (admin)
emir (admin)
Emirs (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> MsiExec.exe /I{002EA3F8-1109-4AAE-A874-7BC121B02D2A}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /X{CBECA9AB-F4DD-4798-979C-AD08F1814803}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
.NET Compact Framework-based PInvoke Library Sample --> MsiExec.exe /X{F8E1E299-B2D3-4F79-89E1-3B53EEBE5A93}
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2d3 SteadyMove for Adobe Premiere Pro --> MsiExec.exe /I{94118D5F-2D5D-4BF5-9F84-11FB8A97B566}
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Access IBM Message Center --> MsiExec.exe /X{F413B3A4-EE5D-457C-BAE5-6E58D9589ED5}
ACDSee 6.0 PowerPack --> MsiExec.exe /I{38A0BB97-772D-422E-BCCA-4BA2A5D81F42}
Ad-aware 6 Plus --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Premiere Pro --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{084709F7-38C5-4609-B55F-2417939315EB}\setup.exe"
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
Adobe Reader for Pocket PC 2.0 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{291A772C-FFB9-4681-B720-AB2A0A620896}
Advanced Task Manager 3.0 --> "C:\Program Files\Innovative Solutions\Advanced Task Manager 3\unins000.exe"
AdventureWorksBICI --> MsiExec.exe /I{A90036CE-E7B2-4C42-B52D-B2843BC31884}
AdventureWorksDBCI --> MsiExec.exe /I{7D95B533-4BA1-4EED-8096-EFCB6DD6B95F}
Agere Systems AC'97 Modem --> agrsmdel
AlphaMagic Gradients for Hollywood FX PRO --> C:\WINDOWS\unvise32.exe C:\WINDOWS\unalphamagic.log
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
Atalasoft DotImage 4.0 SDK --> "C:\Documents and Settings\All Users\Application Data\{F099DA36-CF75-43E5-90BE-D3998A06CC8B}\DotImageIAInstaller.exe" REMOVE=TRUE MODIFY=FALSE
Atalasoft DotTwain 2.1 SDK --> "C:\Documents and Settings\All Users\Application Data\{0F5CA2B3-FEBC-4D30-9718-916B7BE48450}\DotTwainIAInstaller.exe" REMOVE=TRUE MODIFY=FALSE
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Camtasia Studio 4 --> MsiExec.exe /I{1C6D9FD0-8BE2-4226-8D9F-4929CBC1C396}
Canon PowerShot A30 WIA Driver --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\PowerShot A30 WIA\Uninst.isu" -c"C:\Program Files\Canon\PowerShot A30 WIA\UNSTE114.dll"
CorelDRAW Graphics Suite 12 --> MsiExec.exe /I{505AFDC0-5E72-4928-8368-5DEA385E3647}
DivX --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Emulator Driver for Visual Studio .NET 2003 --> MsiExec.exe /X{C1446F2B-8B97-45AC-89A7-C40BE59284B8}
EngleskiRecnikER300 --> MsiExec.exe /I{63C5C836-5673-4E00-B165-7096C9E4F6A5}
EnvelopeV2 --> MsiExec.exe /I{A9C5C4C8-90B2-472D-89B9-A1262F02E86B}
Fiddler (remove only) --> "C:\Program Files\Fiddler\uninst.exe"
FireGL driver for 3D Studio MAX/VIZ --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5AEBFD6-3AF9-4784-81C2-F442C86AA096}\setup.exe"
FlashFXP --> C:\PROGRA~1\FlashFXP\UNWISE.EXE C:\PROGRA~1\FlashFXP\INSTALL.LOG
FlashGet(JetCar) --> C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
hp color LaserJet 2550 series --> MsiExec.exe /x {7ABD6243-A825-46AE-B1B4-B5AE845AA7A9}
HP Software Update --> MsiExec.exe /X{90B5E602-1867-449D-86FD-FC9DEA4434BF}
HP USB Disk Storage Format Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}\Setup.exe" -l0x9
HtmlCapture ActiveX Control 1.0 --> "C:\Program Files\HtmlCapture\unins000.exe"
IBM Access Connections --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22B71A00-4DED-11D4-A5E5-0004AC564F43}\setup.exe" -l0x9 anything
IBM Active Protection System --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{72806716-7088-41B2-8FA6-717A2A164DAB}\setup.exe" -l0x9 anything
IBM Client Security Software 5.41.104.0 --> MsiExec.exe /I{B193BF4A-EF82-4D29-93B8-C5005626CEC8}
IBM File and Folder Encryption 2.10.009.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2ECDC9BE-A1AB-491F-A4E0-5C0E4232B8ED}\Setup.exe" -l0x9
IBM Integrated Bluetooth II Software --> MsiExec.exe /X{E98D6792-FC51-4187-9448-CA9BF893384E}
IBM ThinkPad Battery MaxiMiser and Power Management Features --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\Unbmm.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsbmm.dll"
IBM ThinkPad Configuration --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\UNTPUW.ISU" -c"C:\Program Files\ThinkPad\Utilities\Tpinswin.dll"
IBM ThinkPad Keyboard Customizer Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2111B23F-7FDA-4A41-8309-E5A1663CA296}\setup.exe" -l0x9 anything
IBM ThinkPad Power Management Driver --> RunDll32.exe tpinspm.dll,Uninstall
IBM ThinkPad Presentation Director --> C:\WINDOWS\IsUninst.exe -fC:\PROGRA~1\ThinkPad\UTILIT~1\UNNPDR.isu -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"
IBM ThinkPad UltraNav Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
IBM Update Connector --> MsiExec.exe /X{8D815BF3-2399-459C-B121-49373FEFB9E8}
IBM Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FAC9E5C-0D20-4DBF-AFE5-2E09C52A95A2}\SETUP.EXE" -l0x9 UNINSTALLFROMSYS
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Intel® PROSet for Wired Connections --> MsiExec.exe /I{16906D21-0656-4F8B-9A01-C3D24B5401FC}
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Logitech SetPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}\setup.exe" -l0x9
Macromedia Flash Player --> MsiExec.exe /X{4ecaf021-478c-40c1-b777-3368a15f9966}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Analysis Services Samples (Updated - SP3) --> MsiExec.exe /I{14CCB6D9-7D38-4555-AF95-457C44E65473}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Device Emulator version 1.0 - ENU --> MsiExec.exe /X{78B75C6D-E53C-424C-BF83-4B63BD4A6682}
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office 2003 Web Components --> MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access 2003 Developer Extensions --> MsiExec.exe /I{90D00409-6000-11D3-8CFE-0150048383C9}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{90A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio Professional 2003 --> MsiExec.exe /I{90510409-6000-11D3-8CFE-0150048383C9}
Microsoft Pocket PC 2003 SDK --> MsiExec.exe /X{4BA6C9AC-B6BA-4B0D-AB8D-71B2B19D4AA3}
Microsoft Smartphone 2003 SDK --> MsiExec.exe /X{E6D082ED-25E7-4EE2-A153-797FD7945774}
Microsoft SQL Server 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL\sqlsun.dll" -msql.mif i=MSSQLSERVER
Microsoft SQL Server 2000 Analysis Services --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Microsoft Analysis Services\uninst.isu" -c"C:\Program Files\Microsoft Analysis Services\uninst.dll"
Microsoft SQL Server 2000 Samples (Updated - SP3) --> MsiExec.exe /I{3DE1A9C4-5D37-4716-B0F4-7D980EF405C6}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 (THINKPADSQL2005) --> MsiExec.exe /I{2373A92B-1C1C-4E71-B494-5CA97F96AA19}
Microsoft SQL Server 2005 Analysis Services (THINKPADSQL2005) --> MsiExec.exe /I{982DB00A-9C4E-436B-8707-18E113BAA44C}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{69880C00-08DD-4385-B752-9C62656F6D1E}
Microsoft SQL Server 2005 Books Online (English) (May 2007) --> MsiExec.exe /I{724FC607-AA4A-4F32-AC1D-88B7EDA6CA85}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft SQL Server 2005 Compact Edition Books Online [ENU] --> MsiExec.exe /I{60A57730-A087-1033-8F5A-C72D3DD9DE89}
Microsoft SQL Server 2005 Compact Edition Developer Software Development Kit [ENU] --> MsiExec.exe /I{50A57730-A087-1033-8F5A-C72D3DD9DE89}
Microsoft SQL Server 2005 Compact Edition Tools for Visual Studio 2005 [ENU] --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Integration Services --> MsiExec.exe /I{E0A41F96-7231-4AE8-A654-EEB34F935462}
Microsoft SQL Server 2005 Notification Services --> MsiExec.exe /I{63A5DC0D-1EDD-4D69-8F31-87FAEB1F7084}
Microsoft SQL Server 2005 Reporting Services (THINKPADSQL2005) --> MsiExec.exe /I{3BDB182E-8371-46BD-AC39-C14A91D5EEF8}
Microsoft SQL Server 2005 Samples --> MsiExec.exe /I{DDF6E319-BCD9-4FE3-9D69-26B2F47BEF7C}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{90032DD0-ABEE-4424-AC1E-B076BDD4E350}
Microsoft SQL Server Desktop Engine (MSDE) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{689404D2-1C94-44B3-9203-BEC5594FDA7A}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Virtual PC 2007 --> MsiExec.exe /X{8A7CAA24-7B23-410B-A7C3-F994B0944160}
Microsoft Visio for Enterprise Architects [English] --> MsiExec.exe /I{90560409-6D54-11D4-BEE3-00C04F990354}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual SourceSafe 2005 - ENU --> "C:\Program Files\Microsoft Visual SourceSafe\Microsoft Visual SourceSafe 2005 - ENU\setup.exe"
Microsoft Visual SourceSafe 6.0 --> "C:\Program Files\Microsoft Visual Studio\COMMON\VSS\setup\win32\1033\Setup.exe"
Microsoft Visual Studio .NET Enterprise Architect 2003 - English --> "C:\Program Files\Microsoft Visual Studio .NET 2003\Setup\Visual Studio .NET Enterprise Architect 2003 - English\setup.exe" /MaintMode
Microsoft Visual Studio 2005 Team Suite - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Team Suite - ENU\setup.exe
Microsoft Visual Studio 2005 Team Suite - ENU Service Pack 1 (KB926601) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {D93F9C7C-AB57-44C8-BAD6-1494674BCAF7} /package {1862162E-3BBC-448F-AA63-49F33152D54A}
Microsoft Visual Studio 2005 Tools for Office Runtime --> MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Microsoft Visual Studio 6.0 Enterprise Edition --> "C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Visual Studio Tools for the Microsoft Office System --> MsiExec.exe /X{7BD9D04F-6C73-48F1-A770-9943CD43BC4F}
Microsoft Web Publishing Wizard 1.53 --> RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft WSE 1.0 --> MsiExec.exe /I{9431A631-BFCC-488F-AD74-364A943D4529}
Microsoft WSE 3.0 --> MsiExec.exe /I{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
Morton Benson English-Serbian Dictionary --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Morton Benson\Uninst.isu"
Morton Benson SerboCroatian-English Dictionary --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Morton Benson\Uninst.isu"
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSDE 2000 Deployment Toolkit 1.0 --> MsiExec.exe /X{372242DD-C91E-46E3-857F-ADE7DEE818C1}
MSDN Library - April 2003 DVD --> MsiExec.exe /I{E8AC5ECD-ED45-4C43-9EBC-6CDDB02614F3}
MSDN Library - August 2006 --> msiexec /i {126F52E7-B956-424A-A843-C16085A9BBB8}
MSDN Library - August 2006 --> MsiExec.exe /X{126F52E7-B956-424A-A843-C16085A9BBB8}
MSDN Library - January 2001 --> "C:\Program Files\Microsoft Visual Studio\MSDN\2001JAN\1033\Setup\Setup.exe"
MSDN Library - January 2004 DVD --> MsiExec.exe /I{1E842282-6AC9-4522-AFEC-713A9177D92D}
MSDN Library - July 2004 DVD --> MsiExec.exe /I{03B449D6-F7D0-438A-8CFA-F27767393EB3}
MSDN Library - October 2005 DVD --> MsiExec.exe /I{D3A84AC1-D020-4250-AEDC-981FDAFD12AE}
MSDN Library for Visual Studio .NET 2003 --> MsiExec.exe /I{5757AE1A-1DB4-4898-9806-09F77FBD5E57}
MSDN Library for Visual Studio 2005 --> msiexec /i {23959E96-A80F-4172-A655-210E9BB7BFBE}
MSDN Library for Visual Studio 2005 --> MsiExec.exe /X{23959E96-A80F-4172-A655-210E9BB7BFBE}
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
MV2Player (remove only) --> C:\Program Files\Mv2Player\uninst.exe
MyODBC --> MsiExec.exe /X{29042B1C-0713-4575-B7CA-5C8E7B0899D4}
MySQL Connector Net 1.0.4 --> MsiExec.exe /I{832F75D5-390B-4D00-AC52-A321EA39B98C}
Nero 7 Ultra Edition --> MsiExec.exe /I{40261D0A-A385-4C1A-A7DE-5F270D9B1033}
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
Picture Package --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}\setup.exe" -l0x9 UNINSTALL
Pinnacle Hollywood FX 4.6 --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX 4.6\uninstal.log
Pinnacle Hollywood FX 5 --> C:\WINDOWS\unvise32.exe C:\Program Files\Pinnacle\Hollywood FX 5\uninstal.log
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Print WSJ RSS Demo --> MsiExec.exe /X{58C96FDC-4337-4539-9E84-B3162EAC48F9}
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio WinOnCD 6 DVD Edition --> MsiExec.exe /I{CC550492-0747-48E4-A37C-5A2A0C815489}
Roxio WinOnCD ServicePack 6.02 --> MsiExec.exe /X{3D2BB9B6-AF7E-490B-9CD7-912B0D338FED}
Scientific Atlanta WebSTAR 100 & 200 series Cable Modem --> UNDPX.EXE
Scientific Atlanta WebSTAR 2000 series Cable Modem --> UNDPX2K.EXE
SereneScreen Marine Aquarium 2 --> "C:\Program Files\SereneScreen\Marine Aquarium 2\unins000.exe"
Service Pack 2 for SQL Server Analysis Services 2005 ENU (KB921896) --> C:\WINDOWS\OLAP9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Database Services 2005 ENU (KB921896) --> C:\WINDOWS\SQL9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Integration Services 2005 ENU (KB921896) --> C:\WINDOWS\DTS9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Notification Services 2005 ENU (KB921896) --> C:\WINDOWS\NS9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Reporting Services 2005 ENU (KB921896) --> C:\WINDOWS\RS9_KB921896_ENU\Hotfix.exe /Uninstall
Service Pack 2 for SQL Server Tools and Workstation Components 2005 ENU (KB921896) --> C:\WINDOWS\SQLTools9_KB921896_ENU\Hotfix.exe /Uninstall
SetupPPUpdater --> C:\PROGRA~1\PESTPA~1\UNWISE.EXE C:\PROGRA~1\PESTPA~1\install.log
SHARP AR-351/355/451/455 Series PCL Printer Driver --> C:\WINDOWS\ISUNINST.EXE -fC:\WINDOWS\ush2.isu -cC:\WINDOWS\system32\ush2.dll
Sharp OSA SDK --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{AC79695A-B5A2-4DD8-AA66-5E6A61EA7124} /l1033
Skype™ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SOED --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F91D702D-3DB1-11D3-B3A9-0020185257C4}\setup.exe" -uninst
Sony DVD Architect 3.0c --> MsiExec.exe /X{19024EBA-7B29-4491-BB4E-ECF9446819E4}
Sony Media Manager 2.0 --> MsiExec.exe /X{47D2D455-2C1C-4922-A520-3E3466D783E1}
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Sony Vegas 6.0b --> MsiExec.exe /X{576FBE17-EBF2-4CC7-87A4-A28034CBE424}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
SQLXML4 --> MsiExec.exe /I{36DD7006-7BFE-4E3D-AF6E-FA734BC879B7}
Studio 8 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53EF6570-21A4-47ED-A40A-E6470A5677A3}\Setup.exe" -l0x9 UNINSTALL
Studio Content CD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C643986-DE3C-4737-8472-CCEC36CCC267}\Setup.exe" -l0x9
Symantec Ghost Standard Tools --> MsiExec.exe /I{75CBE62D-E961-42B4-0084-2314E5B00035}
ThinkPad FullScreen Magnifier --> RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.inf
ThinkPad Software Installer --> _tpiu000.exe /U
USB Storage Adapter FX (TPP) --> tppun.exe TPPFX
Visual Studio 2005 Extensions for Windows Workflow Foundation --> "C:\Program Files\Microsoft Visual Studio 2005 Extensions for Windows Workflow Foundation\Setup.exe" /SetupXML "C:\Program Files\Microsoft Visual Studio 2005 Extensions for Windows Workflow Foundation\\x86\Setup.xml"
Visual Studio 2005 Extensions for Windows Workflow Foundation --> MsiExec.exe /I{C8A7718A-FF6D-4DDC-AE36-BBF968D6799B}
Visual Studio 2005 Tools for Office Second Edition --> c:\Program Files\Microsoft Visual Studio 8\Visual Studio 2005 Tools for Office Second Edition\setup.exe
Visual Studio 2005 Tools for Office Second Edition Runtime --> c:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
WebDialogs Unyte --> C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\40E74BFD69174D7FB489C85D9E586824\uninstall.exe
WebEx --> C:\WINDOWS\DOWNLO~1\atcliun.exe
WebEx MeetMeNow --> C:\WINDOWS\DOWNLO~1\MyWebEx\419\\mwmcliun.exe
WebEx One-Click --> MsiExec.exe /I{8E560E1F-1DAE-40D5-B658-313779E8945A}
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Commander (Remove or Repair) --> C:\Program Files\wincmd\wcuninst.exe
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
WSJv2 --> MsiExec.exe /I{2EC092F2-86B0-4AF6-BE3C-653ED0134AA8}
XML Paper Specification Shared Components Pack 1.0 -->
YahooTrafficV2 --> MsiExec.exe /I{8D611DF3-1389-4BAB-993C-0A8FCF3A2024}

-- End of Deckard's System Scanner: finished at 2007-07-30 at 03:16:46 ---------

------

--- ComboFix Quarantine Files ---

2006-11-20 07:00	  2	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\wnsintcc.exe.vir
2007-05-16 17:34	  93848	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\ieatgpc.dll.vir
2007-06-08 16:36	  110592	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\uilibres.dll.vir
2007-06-08 16:36	  120391	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atdl2006.dll.vir
2007-06-08 16:36	  126976	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\attp.dll.vir
2007-06-08 16:36	  126976	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmoi.dll.vir
2007-06-08 16:36	  126976	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmoibak.dll.vir
2007-06-08 16:36	  132688	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmupd.exe.vir
2007-06-08 16:36	  141381	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atas32.dll.vir
2007-06-08 16:36	  1466368	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmres.dll.vir
2007-06-08 16:36	  159744	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atlchat.dll.vir
2007-06-08 16:36	  1810432	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atres.dll.vir
2007-06-08 16:36	  202823	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atasnt40.dll.vir
2007-06-08 16:36	  23106	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atpack.dll.vir
2007-06-08 16:36	  233472	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atarm.dll.vir
2007-06-08 16:36	  24576	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atmemmgr.dll.vir
2007-06-08 16:36	  28672	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\ratrace.dll.vir
2007-06-08 16:36	  315392	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atwbxui5.dll.vir
2007-06-08 16:36	  335872	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmpad.exe.vir
2007-06-08 16:36	  36864	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\raurl.dll.vir
2007-06-08 16:36	  404039	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atasctrl.dll.vir
2007-06-08 16:36	  434176	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmres1.dll.vir
2007-06-08 16:36	  483328	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\webexmgr.dll.vir
2007-06-08 16:36	  49152	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atcarmcl.dll.vir
2007-06-08 16:36	  53248	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmim.dll.vir
2007-06-08 16:36	  5702	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atkbctl.dll.vir
2007-06-08 16:36	  61511	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atasanot.exe.vir
2007-06-08 16:36	  65536	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atnetext.dll.vir
2007-06-08 16:36	  65536	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\wbxcrypt.dll.vir
2007-06-08 16:36	  77824	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.bak.vir
2007-06-08 16:36	  77824	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmie.dll.vir
2007-06-08 16:36	  81408	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\atjpeg60.dll.vir
2007-06-08 16:36	  90112	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmproxy.dll.vir
2007-06-08 16:36	  98304	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmcliun.exe.vir
2007-06-14 13:54	  163840	--a------	C:\Qoobox\Quarantine\C\Program Files\HijackThis\backups\backup-20070729-195300-651.dll.vir
2007-07-13 18:02	  171	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwm.ini.vir
2007-07-13 19:18	  64467	--a------	C:\Qoobox\Quarantine\C\WINDOWS\DOWNLO~1\MyWebEx\419\mwmtrace.txt.vir
2007-07-17 14:27	  56320	--a------	C:\Qoobox\Quarantine\C\WINDOWS\b122.exe.vir
2007-07-28 20:31	  1174796	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat.vir
2007-07-28 21:44	  16	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Application Data\.rdr.ini.vir
2007-07-28 21:45	  108	--a------	C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\desktop.ini.vir
2007-07-28 21:45	  1174796	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat.vir
2007-07-28 21:47	  152	--a------	C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
2007-07-29 03:32	  34560	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir
2007-07-29 21:04	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\9_exception.nls.vir
2007-07-29 23:01	  1004	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_POOF.reg.cf
2007-07-29 23:01	  1034	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.cf
2007-07-29 23:01	  1100	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME2.reg.cf
2007-07-29 23:01	  2056	--a------	C:\Qoobox\Quarantine\Registry_backups\services_kprof.reg.cf
2007-07-29 23:01	  2416	--a------	C:\Qoobox\Quarantine\Registry_backups\services_poof.reg.cf
2007-07-29 23:01	  2578	--a------	C:\Qoobox\Quarantine\Registry_backups\services_ICF.reg.cf
2007-07-29 23:01	  766	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_ICF.reg.cf
2007-07-29 23:01	  868	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_ASC3550U.reg.cf
2007-07-29 23:02	  818	--a------	C:\Qoobox\Quarantine\Registry_backups\services_runtime.reg.cf


Folder PATH listing
Volume serial number is 186F-4AA4
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Documents and Settings
	|   |   \---All Users
	|   |	   \---Documents
	|   |		   \---Settings
	|   |				   desktop.ini.vir
	|   |				   
	|   +---DOCUME~1
	|   |   +---LOCALS~1
	|   |   |   \---APPLIC~1
	|   |   |		   Install.dat.vir
	|   |   |		   
	|   |   \---NETWOR~1
	|   |	   \---APPLIC~1
	|   |			   Install.dat.vir
	|   |			   
	|   +---Program Files
	|   |   \---HijackThis
	|   |	   \---backups
	|   |			   backup-20070729-195300-651.dll.vir
	|   |			   
	|   +---Recyclers
	|   \---WINDOWS
	|	   |   b122.exe.vir
	|	   |   wr.txt.vir
	|	   |   
	|	   +---DOWNLO~1
	|	   |   \---MyWebEx
	|	   |	   \---419
	|	   |			   atarm.dll.vir
	|	   |			   atas32.dll.vir
	|	   |			   atasanot.exe.vir
	|	   |			   atasctrl.dll.vir
	|	   |			   atasnt40.dll.vir
	|	   |			   atcarmcl.dll.vir
	|	   |			   atdl2006.dll.vir
	|	   |			   atjpeg60.dll.vir
	|	   |			   atkbctl.dll.vir
	|	   |			   atlchat.dll.vir
	|	   |			   atmemmgr.dll.vir
	|	   |			   atnetext.dll.vir
	|	   |			   atpack.dll.vir
	|	   |			   atres.dll.vir
	|	   |			   attp.dll.vir
	|	   |			   atwbxui5.dll.vir
	|	   |			   ieatgpc.dll.vir
	|	   |			   mwm.ini.vir
	|	   |			   mwmcliun.exe.vir
	|	   |			   mwmie.bak.vir
	|	   |			   mwmie.dll.vir
	|	   |			   mwmim.dll.vir
	|	   |			   mwmoi.dll.vir
	|	   |			   mwmoibak.dll.vir
	|	   |			   mwmpad.exe.vir
	|	   |			   mwmproxy.dll.vir
	|	   |			   mwmres.dll.vir
	|	   |			   mwmres1.dll.vir
	|	   |			   mwmtrace.txt.vir
	|	   |			   mwmupd.exe.vir
	|	   |			   ratrace.dll.vir
	|	   |			   raurl.dll.vir
	|	   |			   uilibres.dll.vir
	|	   |			   wbxcrypt.dll.vir
	|	   |			   webexmgr.dll.vir
	|	   |			   
	|	   \---system32
	|		   |   9_exception.nls.vir
	|		   |   wnsintcc.exe.vir
	|		   |   
	|		   +---config
	|		   |   \---systemprofile
	|		   |	   \---Application Data
	|		   |			   .rdr.ini.vir
	|		   |			   
	|		   \---drivers
	|				   runtime2.sys.vir
	|				   
	\---Registry_backups
			LEGACY_ASC3550U.reg.cf
			LEGACY_ICF.reg.cf
			LEGACY_POOF.reg.cf
			LEGACY_RUNTIME.reg.cf
			LEGACY_RUNTIME2.reg.cf
			services_ICF.reg.cf
			services_kprof.reg.cf
			services_poof.reg.cf
			services_runtime.reg.cf

------

Thanks a lot for your assistance.

Best Regards!

ngm

#8 MoNsTeReNeRgY22

Member 2k

Group: Member
Posts: 2,508
Joined: 28-January 07
Location:California
Operating System:Windows Vista Home Premium Edition

Posted 30 July 2007 - 08:50 AM

Hey,

1)Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\retadpu27.exe
C:\WINDOWS\BillGatesLoh.exe
C:\WINDOWS\system32\kernelwind32.exe
c:\windows\system32\dwdsregt.exe
C:\Documents and Settings\All Users\Documents\Settings\bot.dll
C:\WINDOWS\system32\byxywvu.dll
C:\WINDOWS\system32\winwsa32.dll
C:\WINDOWS\byxywvu.dll
C:\WINDOWS\winwsa32.dll
C:\WINDOWS\system32\hzda.dll
C:\WINDOWS\system32\dnsersnd.dll
C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\system32\dllcache\win32\services.exe
c:\windows\system32\msvcrtd.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\dllrun32.exe
C:\WINDOWS\dllrun32.exe
C:\WINDOWS\LastGood
C:\WINDOWS\system32\drivers\runtime.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sys
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum along with a fresh HJT Log. Reboot into Normal Mode.

2)Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply along with the OTMove It log and a fresh HJT Log.
Click Close to exit the program.

#9 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 31 July 2007 - 05:10 AM

Well,

I did everything like you instructed, however please note that OTMoveIt has not moved anything except two items that are legitimate Windows files (ip6fw.sys and acs.exe). First one is firewall driver that was infected before I run ComboFix but now it's healthy and latter is Atheros Client Utility used for WLAN. I returned acs.exe since system experienced some problems with WLAN after its removal. ip6fw.sys has been returned by Windows itself.

--- OTMoveIt log ---

File/Folder C:\WINDOWS\retadpu27.exe not found.
File/Folder C:\WINDOWS\BillGatesLoh.exe not found.
File/Folder C:\WINDOWS\system32\kernelwind32.exe not found.
File/Folder c:\windows\system32\dwdsregt.exe not found.
File/Folder C:\Documents and Settings\All Users\Documents\Settings\bot.dll not found.
File/Folder C:\WINDOWS\system32\byxywvu.dll not found.
File/Folder C:\WINDOWS\system32\winwsa32.dll not found.
File/Folder C:\WINDOWS\byxywvu.dll not found.
File/Folder C:\WINDOWS\winwsa32.dll not found.
File/Folder C:\WINDOWS\system32\hzda.dll not found.
File/Folder C:\WINDOWS\system32\dnsersnd.dll not found.
File/Folder C:\WINDOWS\system32\rpcc.exe not found.
File/Folder C:\WINDOWS\system32\dllcache\win32\services.exe not found.
File/Folder c:\windows\system32\msvcrtd.exe not found.
C:\WINDOWS\System32\acs.exe moved successfully.
File/Folder C:\WINDOWS\system32\dllrun32.exe not found.
File/Folder C:\WINDOWS\dllrun32.exe not found.
File/Folder C:\WINDOWS\LastGood not found.
File/Folder C:\WINDOWS\system32\drivers\runtime.sys not found.
C:\WINDOWS\system32\drivers\ip6fw.sys moved successfully.
File/Folder C:\WINDOWS\system32\drivers\runtime2.sys not found.

Created on 07/31/2007 00:02:34

------

--- HiJackThis log after OTMoveIt scan ---

Logfile of HijackThis v1.99.1
Scan saved at 0:07:11 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\dllhost.exe
\?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\Downlo~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\Downlo~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.banca...ilDLL/FSINT.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120655925379
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.banca...LL/SGCMSCCD.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/pc/mywebex/tool/sy...eck/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB90BB4-63DE-410D-ADBF-B1BDFBE775EE}: NameServer = 82.117.194.2,82.117.194.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C7BC31-4BA7-4F8A-BED7-825B6E9FF991}: NameServer = 82.117.194.2,82.117.194.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Business Objects Change Notificator Service - Ivan Celeketic, Emir Sadikovic, Milan Simic - c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server FullText Search (THINKPADSQL2005) (msftesql$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:THINKPADSQL2005 (file missing)
O23 - Service: SQL Server Analysis Services (THINKPADSQL2005) (MSOLAP$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: MSSQL$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlservr.exe" -sMSDE (file missing)
O23 - Service: SQL Server (THINKPADSQL2005) (MSSQL$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sTHINKPADSQL2005 (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlagent.EXE" -i MSDE (file missing)
O23 - Service: SQL Server Agent (THINKPADSQL2005) (SQLAgent$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i THINKPADSQL2005 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

------

to be continued...

#10 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 31 July 2007 - 05:14 AM

I did scan with SUPERAntiSpyware and it found bunch of Adware.Tracking Cookie and and infection quarantined by ComboBox, but I have selected in SUPERAntiSpyware to quarantine everything like you instructed.

--- SUPERAntiSpyware log ---

SUPERAntiSpyware Scan Log
Generated 07/31/2007 at 08:29 AM

Application Version : 3.6.1000

Core Rules Database Version : 3275
Trace Rules Database Version: 1286

Scan type : Complete Scan
Total Scan Time : 06:44:59

Memory items scanned : 542
Memory threats detected : 0
Registry items scanned : 11448
Registry threats detected : 0
File items scanned : 267296
File threats detected : 159

Adware.Tracking Cookie
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@2.adbrite[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ad1.clickhype[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@zedo[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@bs.serving-sys[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@adultadworld[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@atdmt[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@imrworldwide[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@c5.zedo[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@serving-sys[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ad.yieldmanager[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ads.adbrite[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@fastclick[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@statcounter[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ads.urbae[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@questionmarket[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@specificclick[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@www.sexmovies[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@3.adbrite[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@cs.sexcounter[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@cz8.clickzs[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@d3.zedo[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@vibraporn[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@sexmovies[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ads.adgoto[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@hitbox[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@apmebf[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@doubleclick[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@mediaplex[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@adbrite[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@media.top-banners[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@www.porntower[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@4.adbrite[2].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ads.k8l[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@audit.median[1].txt
C:\Documents and Settings\Milan Simic\Cookies\milan_simic@ehg-webex.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@112.2o7[2].txt
C:\Documents and Settings\Daca\Cookies\daca@2.adbrite[2].txt
C:\Documents and Settings\Daca\Cookies\daca@247realmedia[1].txt
C:\Documents and Settings\Daca\Cookies\daca@2o7[2].txt
C:\Documents and Settings\Daca\Cookies\daca@ad.yieldmanager[2].txt
C:\Documents and Settings\Daca\Cookies\daca@ad.zanox[2].txt
C:\Documents and Settings\Daca\Cookies\daca@adbrite[2].txt
C:\Documents and Settings\Daca\Cookies\daca@adknowledge[1].txt
C:\Documents and Settings\Daca\Cookies\daca@adlegend[1].txt
C:\Documents and Settings\Daca\Cookies\daca@admarketplace[1].txt
C:\Documents and Settings\Daca\Cookies\daca@adopt.euroclick[2].txt
C:\Documents and Settings\Daca\Cookies\daca@adopt.hbmediapro[2].txt
C:\Documents and Settings\Daca\Cookies\daca@adrevolver[2].txt
C:\Documents and Settings\Daca\Cookies\daca@adrevolver[3].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.cc214142[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.lasvegas[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.monster[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.pointroll[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.realcastmedia[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.realtechnetwork[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.tripod.lycos[2].txt
C:\Documents and Settings\Daca\Cookies\daca@ads.vegas[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ads2.jubii[2].txt
C:\Documents and Settings\Daca\Cookies\daca@adserver[1].txt
C:\Documents and Settings\Daca\Cookies\daca@adtech[2].txt
C:\Documents and Settings\Daca\Cookies\daca@advertising[2].txt
C:\Documents and Settings\Daca\Cookies\daca@americanmedia.us.intellitxt[1].txt
C:\Documents and Settings\Daca\Cookies\daca@apmebf[1].txt
C:\Documents and Settings\Daca\Cookies\daca@as-us.falkag[2].txt
C:\Documents and Settings\Daca\Cookies\daca@atdmt[2].txt
C:\Documents and Settings\Daca\Cookies\daca@atwola[1].txt
C:\Documents and Settings\Daca\Cookies\daca@belnk[1].txt
C:\Documents and Settings\Daca\Cookies\daca@bizrate[1].txt
C:\Documents and Settings\Daca\Cookies\daca@bluestreak[2].txt
C:\Documents and Settings\Daca\Cookies\daca@bs.serving-sys[1].txt
C:\Documents and Settings\Daca\Cookies\daca@burstnet[2].txt
C:\Documents and Settings\Daca\Cookies\daca@c.enhance[1].txt
C:\Documents and Settings\Daca\Cookies\daca@casalemedia[1].txt
C:\Documents and Settings\Daca\Cookies\daca@citi.bridgetrack[2].txt
C:\Documents and Settings\Daca\Cookies\daca@data2.perf.overture[1].txt
C:\Documents and Settings\Daca\Cookies\daca@devart.adbureau[2].txt
C:\Documents and Settings\Daca\Cookies\daca@dist.belnk[2].txt
C:\Documents and Settings\Daca\Cookies\daca@doubleclick[2].txt
C:\Documents and Settings\Daca\Cookies\daca@e-2dj6wjmywod5mfp.stats.esomniture[2].txt
C:\Documents and Settings\Daca\Cookies\daca@edge.ru4[2].txt
C:\Documents and Settings\Daca\Cookies\daca@efashionsolutions.122.2o7[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-bskyb.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-communityconnect.hitbox[2].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-cruisedirect.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-hollywood.hitbox[2].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-mgnlimited.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-triseptsoultions.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Daca\Cookies\daca@fastclick[2].txt
C:\Documents and Settings\Daca\Cookies\daca@fortunecity[1].txt
C:\Documents and Settings\Daca\Cookies\daca@go.winantivirus[1].txt
C:\Documents and Settings\Daca\Cookies\daca@gostats[2].txt
C:\Documents and Settings\Daca\Cookies\daca@hg1.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@hitbox[2].txt
C:\Documents and Settings\Daca\Cookies\daca@kanoodle[2].txt
C:\Documents and Settings\Daca\Cookies\daca@login.tracking101[2].txt
C:\Documents and Settings\Daca\Cookies\daca@mathworks.112.2o7[1].txt
C:\Documents and Settings\Daca\Cookies\daca@maxserving[2].txt
C:\Documents and Settings\Daca\Cookies\daca@mediaplex[1].txt
C:\Documents and Settings\Daca\Cookies\daca@metacafe.122.2o7[1].txt
C:\Documents and Settings\Daca\Cookies\daca@msnportal.112.2o7[1].txt
C:\Documents and Settings\Daca\Cookies\daca@overture[1].txt
C:\Documents and Settings\Daca\Cookies\daca@partner2profit[2].txt
C:\Documents and Settings\Daca\Cookies\daca@partygaming.122.2o7[1].txt
C:\Documents and Settings\Daca\Cookies\daca@partypoker[2].txt
C:\Documents and Settings\Daca\Cookies\daca@perf.overture[1].txt
C:\Documents and Settings\Daca\Cookies\daca@phg.hitbox[1].txt
C:\Documents and Settings\Daca\Cookies\daca@polo.112.2o7[1].txt
C:\Documents and Settings\Daca\Cookies\daca@pro-market[1].txt
C:\Documents and Settings\Daca\Cookies\daca@qksrv[1].txt
C:\Documents and Settings\Daca\Cookies\daca@qnsr[2].txt
C:\Documents and Settings\Daca\Cookies\daca@questionmarket[2].txt
C:\Documents and Settings\Daca\Cookies\daca@realmedia[1].txt
C:\Documents and Settings\Daca\Cookies\daca@revenue[1].txt
C:\Documents and Settings\Daca\Cookies\daca@revsci[2].txt
C:\Documents and Settings\Daca\Cookies\daca@rotator.adjuggler[2].txt
C:\Documents and Settings\Daca\Cookies\daca@sales.liveperson[2].txt
C:\Documents and Settings\Daca\Cookies\daca@sel.as-us.falkag[2].txt
C:\Documents and Settings\Daca\Cookies\daca@server.iad.liveperson[2].txt
C:\Documents and Settings\Daca\Cookies\daca@serving-sys[1].txt
C:\Documents and Settings\Daca\Cookies\daca@specificclick[2].txt
C:\Documents and Settings\Daca\Cookies\daca@spylog[1].txt
C:\Documents and Settings\Daca\Cookies\daca@stat.onestat[2].txt
C:\Documents and Settings\Daca\Cookies\daca@statcounter[2].txt
C:\Documents and Settings\Daca\Cookies\daca@stats1.reliablestats[2].txt
C:\Documents and Settings\Daca\Cookies\daca@statse.webtrendslive[1].txt
C:\Documents and Settings\Daca\Cookies\daca@tacoda[2].txt
C:\Documents and Settings\Daca\Cookies\daca@targetnet[1].txt
C:\Documents and Settings\Daca\Cookies\daca@tracker[1].txt
C:\Documents and Settings\Daca\Cookies\daca@tradedoubler[1].txt
C:\Documents and Settings\Daca\Cookies\daca@trafficmp[2].txt
C:\Documents and Settings\Daca\Cookies\daca@tribalfusion[1].txt
C:\Documents and Settings\Daca\Cookies\daca@tripod.lycos[1].txt
C:\Documents and Settings\Daca\Cookies\daca@tripod[1].txt
C:\Documents and Settings\Daca\Cookies\daca@ursulasarcev.sexy-celebrity-photos[1].txt
C:\Documents and Settings\Daca\Cookies\daca@valueclick[1].txt
C:\Documents and Settings\Daca\Cookies\daca@warlog[2].txt
C:\Documents and Settings\Daca\Cookies\daca@www.googleadservices[1].txt
C:\Documents and Settings\Daca\Cookies\daca@www.zanox-affiliate[1].txt
C:\Documents and Settings\Daca\Cookies\daca@xiti[1].txt
C:\Documents and Settings\Daca\Cookies\daca@yadro[2].txt
C:\Documents and Settings\Daca\Cookies\daca@z1.adserver[1].txt
C:\Documents and Settings\Daca\Cookies\daca@zedo[2].txt
C:\Documents and Settings\Emirs\Cookies\emirs@ads.cnn[1].txt
C:\Documents and Settings\Emirs\Cookies\emirs@advertising[1].txt
C:\Documents and Settings\Emirs\Cookies\emirs@atdmt[2].txt
C:\Documents and Settings\Emirs\Cookies\emirs@cnn.122.2o7[1].txt
C:\Documents and Settings\Emirs\Cookies\emirs@doubleclick[2].txt
C:\Documents and Settings\Emirs\Cookies\emirs@msnportal.112.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.k8l[1].txt
C:\Documents and Settings\Test Usr\Cookies\test usr@atdmt[1].txt
C:\Documents and Settings\Test Usr\Cookies\test usr@doubleclick[1].txt
C:\Documents and Settings\Test Usr\Cookies\test usr@msnportal.112.2o7[1].txt
C:\Documents and Settings\Test Usr\Cookies\test usr@questionmarket[1].txt
C:\Documents and Settings\Test Usr\Cookies\test usr@serving-sys[2].txt
C:\Documents and Settings\Test Usr\Cookies\test usr@statse.webtrendslive[1].txt

Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\XUMEMA.HTML

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\HIJACKTHIS\BACKUPS\BACKUP-20070729-195300-651.DLL.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSINTCC.EXE.VIR

------

--- HiJackThis log after SUPERAntiSpyware scan ---

Logfile of HijackThis v1.99.1
Scan saved at 13:01:17 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
C:\Program Files\IBM\Security\uvmserv.exe
C:\WINDOWS\System32\ibmsmbus.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IBM\Security\certtool.exe
C:\Program Files\IBM\Password Manager\pwmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\IBM\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Microsoft Web Test Recorder Helper - {62355041-605D-4469-84FD-5D66ED67A7E3} - C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISS_Certtool] C:\Program Files\IBM\Security\certtool.exe
O4 - HKLM\..\Run: [IBM_PWMGR] C:\Program Files\IBM\Password Manager\pwmgr.exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler\Fiddler.exe" (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\Downlo~1\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\WINDOWS\Downlo~1\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D69485C-EAB1-42AE-93C1-B5A53F238C5A} (FileInterface Class) - https://online.banca...ilDLL/FSINT.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120655925379
O16 - DPF: {76326493-E84F-4D4B-939C-1E07B50037F2} (ProxyModule Class) - https://online.banca...LL/SGCMSCCD.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/pc/mywebex/tool/sy...eck/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB90BB4-63DE-410D-ADBF-B1BDFBE775EE}: NameServer = 82.117.194.2,82.117.194.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{84C7BC31-4BA7-4F8A-BED7-825B6E9FF991}: NameServer = 82.117.194.2,82.117.194.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Business Objects Change Notificator Service - Ivan Celeketic, Emir Sadikovic, Milan Simic - c:\program files\business objects change notificator\businessobjectschangenotificator.process.exe
O23 - Service: IBM User Verification Manager - IBM - C:\Program Files\IBM\Security\uvmserv.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: SMBus Upgrade Service for Windows 2000 and above (ibmsmbus) - International Business Machines Corp. - C:\WINDOWS\System32\ibmsmbus.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server FullText Search (THINKPADSQL2005) (msftesql$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:THINKPADSQL2005 (file missing)
O23 - Service: SQL Server Analysis Services (THINKPADSQL2005) (MSOLAP$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\Config (file missing)
O23 - Service: MSSQL$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlservr.exe" -sMSDE (file missing)
O23 - Service: SQL Server (THINKPADSQL2005) (MSSQL$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sTHINKPADSQL2005 (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SQLAgent$MSDE - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MSDE\Binn\sqlagent.EXE" -i MSDE (file missing)
O23 - Service: SQL Server Agent (THINKPADSQL2005) (SQLAgent$THINKPADSQL2005) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i THINKPADSQL2005 (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

------

#11 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 31 July 2007 - 05:19 AM

System is pretty much stable for last two days after removal of infection.

However, I have noted two things.

In Internet Explorer when I do not have internet connection and when I try to browse somewhere I get "http:///" in URL address instead of the one I pointed to when Internet Explorer gives up. Isn't this symptom that some browser hijacker was here? Can I revert this in previous state?

Second thing is that my Windows Explorer (explorer.exe) used to refresh itself sometimes what reflects on icons available on the screen, so whole screen flickers for a second. I have never seen this behaviour before.

Let me know.

Thanks a million for your assistance!

ngm

#12 MoNsTeReNeRgY22

Member 2k

Group: Member
Posts: 2,508
Joined: 28-January 07
Location:California
Operating System:Windows Vista Home Premium Edition

Posted 31 July 2007 - 06:04 PM

Hello,

For your first question, that does not always mean it is a browser hijacker. It could be just a setting that has been changed by yourself on accident. So lets try resetting your settings to default. You can do this by the following.

Close any Internet Explorer or Windows Explorer windows that are currently open.
Open Internet Explorer by clicking the Start button , and then clicking Internet Explorer.
Click the Tools button, and then click Internet Options.
Click the Advanced tab, and then click Reset.
In the Reset Internet Explorer Settings dialog box, click Reset.
When Internet Explorer finishes restoring the settings, click Close, and then click OK.
Close Internet Explorer.

Your changes will take effect the next time you open Internet Explorer.

As on your second question, I have never heard of that Windows Explorer problem. Let me ask a more knowledgable person in that area that might be able to help you.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1)Please double-click OTMoveIt.exe to run it.

Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click NO to the reboot, and just delete the OTmove it program from your desktop

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3)Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#13 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 02 August 2007 - 04:04 AM

Well,

Sorry for delay, but it took almost 24 hrs to scan my hard drive.

Here's Karspersky Online Scanner report:

--- Karspersky Online Scanner report ---

KASPERSKY ONLINE SCANNER REPORT
Thursday, August 02, 2007 11:54:30 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 1/08/2007
Kaspersky Anti-Virus database records: 370281

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 277395
Number of viruses found 13
Number of infected objects 40 / 0
Number of suspicious objects 0
Duration of the scan process 23:39:09

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\emir\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\emir\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Milan Simic\3.tmp Infected: Trojan-Clicker.Win32.Costrat.au skipped

C:\Documents and Settings\Milan Simic\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\call256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\callmember256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\chat1024.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\chat2048.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\chat256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\chat512.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\chatmember256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\chatsync\86\8631deba015dac6d.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\dyncontent\bundle.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\index2.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\profile1024.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\sms256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\sms512.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\transfer256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\transfer512.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\user1024.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\user16384.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\user4096.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Application Data\Skype\simic_milan\voicemail256.dbb Object is locked skipped

C:\Documents and Settings\Milan Simic\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Milan Simic\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Milan Simic\My Documents\Downloads\Windows XP Genuine Advangtage No-patch activation kit.zip/WGA Crack/WGA Crack/Keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\Downloads\Windows XP Genuine Advangtage No-patch activation kit.zip/WGA Crack/WGA Crack/Keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\Downloads\Windows XP Genuine Advangtage No-patch activation kit.zip/WGA Crack/WGA Crack/Keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\Downloads\Windows XP Genuine Advangtage No-patch activation kit.zip ZIP: infected - 3 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Hacking & Phreaking\BRUTE20.ZIP/FBRUTE.EXE Infected: not-a-virus:PSWTool.Win32.Bruter skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Hacking & Phreaking\BRUTE20.ZIP ZIP: infected - 1 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\IBM ThinkPad R50p Drivers & Tools\TOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\IBM ThinkPad R50p Drivers & Tools\TOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\IBM ThinkPad R50p Drivers & Tools\TOOLS\APPS\RRPC\RRPC\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\IBM ThinkPad R50p Drivers & Tools\TOOLS\APPS\RRPC\RRPC\superinstall.EXE ZIP: infected - 3 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Kaspersky Anti-Virus v6.0.0.304\Kaspersky.Antivirus.6.0.0.304.rar/Kaspersky Antivirus 6.0.0.304 TM/kav6.0.0.304en.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Kaspersky Anti-Virus v6.0.0.304\Kaspersky.Antivirus.6.0.0.304.rar RAR: infected - 1 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.41\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.41\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.41\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.41\keyfinder.exe RarSFX: infected - 3 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.51\Keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.51\Keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.51\Keyfinder.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Quick Keylogger 2.1\Crack\qpanel - uncracked.exe Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.d skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Quick Keylogger 2.1\Crack\qpanel.exe Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Quick Keylogger 2.1\qk_setup.exe Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.d skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Windows Genuine Advantage Validation\WGA Crack\Keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Windows Genuine Advantage Validation\WGA Crack\Keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Windows Genuine Advantage Validation\WGA Crack\Keyfinder.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5\XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD.rar/XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD/crd-akla.zip/crd-akla.rar/Setup.zip/Setup/xpadvancedkeylogger.exe/file08 Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5\XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD.rar/XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD/crd-akla.zip/crd-akla.rar/Setup.zip/Setup/xpadvancedkeylogger.exe Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5\XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD.rar/XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD/crd-akla.zip/crd-akla.rar/Setup.zip Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5\XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD.rar/XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD/crd-akla.zip/crd-akla.rar Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5\XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD.rar/XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD/crd-akla.zip Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped

C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5\XP.Advanced.Keylogger.v2.5.WinAll.Cracked-CRD.rar RAR: infected - 5 skipped

C:\Documents and Settings\Milan Simic\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Milan Simic\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\THINKPAD\ASPNET\Local Settings\Application Data\ApplicationHistory\83c5c6a7.bf16b455.ini.inuse Object is locked skipped

C:\Documents and Settings\THINKPAD\ASPNET\Local Settings\Application Data\ApplicationHistory\aspnet_wp.exe.bf16b455.ini.inuse Object is locked skipped

C:\Documents and Settings\THINKPAD\ASPNET\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\THINKPAD\ASPNET\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\THINKPAD\ASPNET\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\THINKPAD\ASPNET\ntuser.dat.LOG Object is locked skipped

C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped

C:\Program Files\ESET\cache\FND0.NFI Infected: Trojan-Downloader.Win32.Delf.asz skipped

C:\Program Files\ESET\infected\FRTX23BA.NQF Infected: Trojan-Downloader.Win32.Delf.asz skipped

C:\Program Files\ESET\infected\KBAKXPBA.NQF Infected: Rootkit.Win32.Agent.dw skipped

C:\Program Files\ESET\infected\S0Z1EFBA.NQF Infected: Rootkit.Win32.Agent.ey skipped

C:\Program Files\ESET\logs\virlog.dat Object is locked skipped

C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\AdventureWorksDW_Data.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\AdventureWorksDW_Log.LDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\AdventureWorks_Data.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\AdventureWorks_Log.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\DocManExpress_Data.MDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\DocManExpress_Log.LDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\Eventer_Data.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\Eventer_Log.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$DocManExpress.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$DocManExpressTempDB.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$DocManExpressTempDB_log.LDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$DocManExpress_log.LDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$THINKPADSQL2005.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$THINKPADSQL2005TempDB.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$THINKPADSQL2005TempDB_log.LDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\ReportServer$THINKPADSQL2005_log.LDF Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\WFMyData.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\WFMyData_log.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\WFState.mdf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\WFState_log.ldf Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir010001.wid Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir010002.ci Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir010002.wid Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir010002.wsb Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir\CiPT0000.000 Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir\INDEX.000 Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\FTData\OCRContentFT\MssearchCatalogDir\Used0000.000 Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_308.trc Object is locked skipped

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLFT0000700006.LOG Object is locked skipped

C:\Program Files\XP Advanced Keylogger\DLLs\jmail.dll Infected: not-a-virus:Client-SMTP.Win32.JMail.43 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{A24E4522-5FDC-4278-A77B-E7E52C26854F}\RP4\change.log Object is locked skipped

C:\WINDOWS\CSC000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2F4018DE-C648-4A9E-A150-023F1FF48E8D}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped

C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped

C:\WINDOWS\system32\qlib.dll Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.c skipped

C:\WINDOWS\system32\qpanel.exe Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.a skipped

C:\WINDOWS\system32\qutils.dll Infected: not-a-virus:Monitor.Win32.QuickKeyLogger.b skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_2bc.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

------

#14 Night Man NYC

Member

Group: Member
Posts: 12
Joined: 29-July 07
Operating System:XP

Posted 02 August 2007 - 04:07 AM

As you can see, real infection is only found in "C:\Documents and Settings\Milan Simic\3.tmp" and in quarantined items of NOD32. A both deleted 3.tmp and emptied all quarantined infections.

Best Regards!

ngm

#15 MoNsTeReNeRgY22

Member 2k

Group: Member
Posts: 2,508
Joined: 28-January 07
Location:California
Operating System:Windows Vista Home Premium Edition

Posted 02 August 2007 - 05:01 PM

Hello again,

Sorry to hear about the really long scan, must have been a lot of files.

I am not sure whether you intenionally download the following folders, or they were downloaded due to your infections. If they were intenionally downloaded, I HIGHLY RECOMMEND you never do again. Besides the fact of it being illegal, it is also the reason your system was so infected from the first place.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Documents and Settings\Milan Simic\My Documents\Downloads\Windows XP Genuine Advangtage No-patch activation kit.zip
C:\Documents and Settings\Milan Simic\My Documents\My Archives\Hacking & Phreaking
C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Kaspersky Anti-Virus v6.0.0.304
C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Magical Jelly Bean Keyfinder v1.41
C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Quick Keylogger 2.1
C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\Windows Genuine Advantage Validation
C:\Documents and Settings\Milan Simic\My Documents\My Archives\Installs\XP Advanced Keylogger v2.5

Please post a fresh HJT log after deleting the above folders. Also are you still receivng that explorer.exe problem.