CastleCops :: View topic - [IN PROGRESS]infected!!!!

[IN PROGRESS]infected!!!!
Goto page 1, 2 Next
CastleCops -> Trend Micro HijackThis Logs

Author: ivansga, Location: Mexico

Posted: Mon May 12, 2008 10:23 pm Post subject: infected!!!!

hi my name is ivan, well i got infected after turning off zonealarm because it would not let me connect to the internet.

after i scaned with zonealarm virtumonde and some other virus came up but zonealarm cant clean em they keep coming back even after safe mode clean up with the windows restore turned off. i get pop ups adverticing anti-virus and free scans(didnt run them of course) but its getting really anoying, my browser is really slow. please help

this is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:17 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\uhupbnqb.dll",s
O4 - HKLM\..\Run: [f03468ad] rundll32.exe "C:\WINDOWS\system32\udmdirvb.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178623426421
O22 - SharedTaskScheduler: biocomputing - {98ca7898-6029-41ab-8f67-ea4f5e1afc22} - C:\WINDOWS\system32\myqlejy.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Giga Pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7041 bytes

Author: Prince_Serendip,

Posted: Wed May 14, 2008 6:46 pm Post subject:

You're Ready for cleaning. Thumbs Up

At CastleCops we screen all HijackThis logs for errors, out-of-date versions, unupdated operating systems, omissions and P2P applications; getting you [READY] for cleaning by our 1st Responders and Security Experts. Now you wait for one of them to come help you.

Author: ivansga, Location: Mexico

Posted: Thu May 15, 2008 11:56 pm Post subject:

ok ill be waiting, thank you

Author: MauriceN,

Posted: Fri May 16, 2008 6:23 pm Post subject:

Hello Ivansga and welcome to CC forums.

I will be your handler. Please follow my directions and do not do any other programs, utilities, nor do any free-surfing while we attempt to clear your pc. Yours has several pieces of malware.

This will take several rounds of cleaning.

Also, have plenty of patience while each utility program is running. Do the following first steps:

Let's turn off some real-time monitors, which will interfere with cleanup tools.
ZoneAlarm's OS Firewall
Go to the Program tab, then click "Main".
Press the first "Custom" button from the top.
Uncheck (to disable or un-checkmark) "Enable OS Firewall".
Click OK.

>
1. Set Windows to show all files and all folders.
Bring up Windows Explorer / Tools / Folder Options/ select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

This program is for XP and Windows 2000 and Vista

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser:
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

For Technical Support, double-click the e-mail address located at the bottom of each menu.
=
3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

3.b Visit Malwareteks.com for the IE Defender fix.
Go to http://www.malwareteks.com/FixIEDef.php

Scroll down to bottom of the page. See sections marked Instructions. Follow the instructions.
>
4. Please download & save Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in a new reply as soon as it has finished.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

5. Download Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe

Close all applications and windows.
Double-click on dss.exe to run the application; follow the prompts.
When the scan is completed, a text file named Main.txt will open. Please save this file, then close Notepad.
The folder C:\Deckard also will open. This folder will contain another text file named Extra.txt. Please save this file to your desktop, too, then exit Notepad.

Note: Your firewall may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

6. Please perform this online scan: F-Secure Online Scanner

The online scanner is on the bottom right of the page.
Follow the directions in the F-Secure page for proper Installation.
You may receive an alert on the address bar at this point to install the ActiveX control.
Click on that alert and then click "Install ActiveX component".
Read the license agreement and click "Accept".
Click "Custom Scan" and be sure the following are checked:

Scan whole System
Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics

When the scan completes, click the "I want to decide item by item" button.
For each item found, Select "Disinfect" and click "Next".
When done, click the "Show Report" button, then copy and paste the entire report into your next reply
>
In a reply to this thread, please post (in order):

the MBAM report and
the contents of Main.txt and Extra.txt (from above),
the F-Secure report.

Be sure to do a Preview prior to pressing reply because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

This will get us started on seeing what malware may be on this system.
There will be more to do after these preliminary steps.

Author: MauriceN,

Posted: Fri May 16, 2008 10:32 pm Post subject:

After you have finished all the steps above, then do these:

Close all browsers and Instant Messenger windows/applications then scan with HijackThis (HJT). Check to following entries, if found now, then click on FIX CHECKED:

Quote:

O4 - HKLM\..\Run: [BMf3075b31] Rundll32.exe "C:\WINDOWS\system32\uhupbnqb.dll",s
O4 - HKLM\..\Run: [f03468ad] rundll32.exe "C:\WINDOWS\system32\udmdirvb.dll",b

Close& Exit Hijackthis.
>
Download the Killbox utility program.
Save it to the Desktop.

Let's setup KILLBOX (which you downloaded & saved earlier).

* Please double-click on Killbox.exe to run it.

* Click on Tools > Delete Temp Files

* Check the following options:

Temporary Internet Files
Temp Files
XP Prefetch

If you want to delete Cookies, History, and list of recent files (MRU), run you may also check these boxes now.

* Click on Delete Selected Temp Files

Exclamation

NB: Repeat for each User Account by selecting each account in the C:\Documents and Settings\username dropdown box.

* Exit by clicking on Exit (Save Settings), returning to the main Killbox window.

* Select Delete on Reboot.

* Open the Notepad.
Copy all of the file paths below (CTRL+A, CTRL+C) and paste (CTRL+V) them into Notepad:

Code:

C:\WINDOWS\system32\uhupbnqb.dll
C:\WINDOWS\system32\udmdirvb.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Press/Select"All Files" (button)

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt.

Notes:

Killbox will let you know if a file does not exist.
If you have any issues with this Paste from Clipboard method, you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot

Then let me know the results.
Also, do a new HijackThis Scan and Save. Reply with the new HJT report.

Author: ivansga, Location: Mexico

Posted: Tue May 20, 2008 7:41 am Post subject:

First of all I am so sorry but i was out for the weekend and could not check my mail. Also, I want to thank you so much for responding and helping me, i will follow the steps and reply as soon as im done with it. thanks so much again. God bless

Author: MauriceN,

Posted: Tue May 20, 2008 8:01 am Post subject:

OK. I had posted two replies. Make sure you do all of the first. And only after that, do all of the second.

Author: ivansga, Location: Mexico

Posted: Tue May 20, 2008 7:40 pm Post subject:

im on this step,3.b Visit Malwareteks.com for the IE Defender fix.
Go to http://www.malwareteks.com/FixIEDef.php but the link takes to a page that sais error 404- not found what shall i do? by the way happy aniversary!!!

Author: MauriceN,

Posted: Tue May 20, 2008 8:15 pm Post subject:

I'm getting the same error just now. Not sure why the website or webpage is not there (at this time).

Skip just that particular step, and do proceed onward with the steps that follow, for Malwarebytes Anti-Malware and all the rest.

Author: ivansga, Location: Mexico

Posted: Wed May 21, 2008 4:25 am Post subject:

here is the log

Malwarebytes' Anti-Malware 1.12
Database version: 770

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 108278
Time elapsed: 22 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 38
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qoMdcYqq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUlIbcY.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0cae758c-24a3-401c-8d63-01e58c913b8f} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0cae758c-24a3-401c-8d63-01e58c913b8f} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\acroiehelper.video (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{5cf87193-fd1e-4400-863d-fd9afc5f402f} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{057299d6-7edb-47b8-934c-ed17535a501c} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1c54613a-a5ec-461b-9643-6f18598036a8} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{321fe2f3-d621-4fc2-97e6-f03b1e106163} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3510aa0d-c620-42a7-bca4-5424e887bfbe} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3e4fbca2-cf8f-4897-ac8b-ad3fb68dd794} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{423e470a-efec-4b61-80df-7cebaea33912} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{465cd1ab-1a0e-4644-a818-4eea483137f1} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{48f5a09e-1f9a-45f6-9028-d3d4af690727} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9946c825-9e64-4cbb-99c3-d853a4ccb6d5} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{9b3f8419-b82f-439c-8d5c-0cf7b9ae00aa} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{aef1cb9f-75c1-43d0-944d-773beb807c4e} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{bdabfcde-65ab-4fd8-9dd5-b250cabdc4b2} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{d74eb6f1-1c83-4d06-9dac-b6be82c5fe70} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{eebd5970-8e94-4e4d-a2c8-124cb9b5ebac} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f928fa33-fdf8-4332-a626-ca9f7d12e5ad} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{ffa41a18-f50e-459e-80b7-6ea78ad9d365} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3fb89201-04de-4430-b5c6-fd57ea654e56} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{c3f37eca-a8d9-4633-92c6-fe24c7d16aba} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3f37eca-a8d9-4633-92c6-fe24c7d16aba} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtulibcy (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\Software\Mirar (AdWare.Mirar) -> No action taken.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> No action taken.
HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\AppID\AcroIEHelper.dll (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c3f37eca-a8d9-4633-92c6-fe24c7d16aba} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f03468ad (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMf3075b31 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\user32.dll (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdcyqq -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomdcyqq -> No action taken.

Folders Infected:
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> No action taken.

Files Infected:
C:\WINDOWS\system32\qoMdcYqq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qqYcdMoq.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qqYcdMoq.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUlIbcY.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\Mozilla Firefox\regxpcom.exe (Trojan.FBrowsingAdvisor) -> No action taken.
C:\WINDOWS\AcroIEHelper.dll (Trojan.FakeAlert) -> No action taken.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> No action taken.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> No action taken.

Author: ivansga, Location: Mexico

Posted: Wed May 21, 2008 4:32 am Post subject:

Deckard's System Scanner v20071014.68
Run by IVAN GONZALEZ on 2008-05-20 23:08:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-05-21 04:08:48 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.17 GiB (less than 15%) free.

-- HijackThis (run as IVAN GONZALEZ.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:03 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\IVAN GONZALEZ\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\IVAN GONZALEZ.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A178511E-E76E-4779-B379-46064ADBA1C4} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178623426421
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Giga Pocket\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7913 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080512-165922-111 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080512-165922-193 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080512-165922-194 O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)
backup-20080512-165922-224 O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
backup-20080512-165922-828 O4 - HKLM\..\Run: [PKVOLUME] C:\Program Files\PKVolume\PKVOLUME.exe
backup-20080512-165922-861 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
backup-20080512-165923-764 O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
backup-20080513-161658-152 O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S3 GENERICDRV - c:\docume~1\ivango~1\locals~1\temp\pft2e.tmp\amifldrv.sys (file missing)
S3 usbbus (LGE CDMA Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
S3 UsbDiag (LGE CDMA USB Serial Port) - c:\windows\system32\drivers\lgusbdiag.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Diagnostics Driver>
S3 USBModem (LGE CDMA USB Modem) - c:\windows\system32\drivers\lgusbmodem.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Modem Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe

S4 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\16DBE528004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\16DBE528004603
Service: NIC1394

Class GUID: {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}
Description: Serial Cable using IrDA Protocol
Device ID: ROOT\INFRARED\0000
Manufacturer: (Standard Infrared Port)
Name: Serial Cable using IrDA Protocol
PNP Device ID: ROOT\INFRARED\0000
Service: irsir

-- Scheduled Tasks -------------------------------------------------------------

2008-05-20 22:34:00 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job

-- Files created between 2008-04-20 and 2008-05-20 -----------------------------

2008-05-20 17:42:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-20 14:25:57 0 d-------- C:\Documents and Settings\IVAN GONZALEZ\Application Data\Malwarebytes
2008-05-20 14:25:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 14:25:44 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 13:47:13 0 dr-h----- C:\Documents and Settings\IVAN GONZALEZ\Recent
2008-05-13 16:48:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-13 16:37:11 2112 --a------ C:\WINDOWS\system32\rmwncfpb.exe
2008-05-12 16:34:25 2112 --a------ C:\WINDOWS\system32\jgmipiwx.exe
2008-05-12 16:18:06 0 d-------- C:\Program Files\Trend Micro
2008-05-12 01:37:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\MailFrontier
2008-05-12 01:36:06 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-12 01:35:30 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-12 01:35:30 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-12 01:35:30 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-12 01:35:30 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-12 01:35:30 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-12 01:35:30 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-12 01:35:30 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-12 01:35:30 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-05-12 01:35:30 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-12 01:35:30 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Real
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\MSN6
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-05-12 01:35:30 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-05-12 01:35:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-05-12 01:35:29 1310720 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-10 05:48:11 2112 --a------ C:\WINDOWS\system32\amvdrycu.exe
2008-05-09 05:48:11 2112 --a------ C:\WINDOWS\system32\nqpdocto.exe
2008-05-08 19:12:54 0 d-------- C:\VundoFix Backups
2008-05-08 18:24:20 0 d-------- C:\Documents and Settings\IVAN GONZALEZ\Application Data\Uniblue
2008-05-08 14:23:18 0 d-------- C:\Documents and Settings\IVAN GONZALEZ\Application Data\MailFrontier
2008-05-08 05:51:28 2112 --a------ C:\WINDOWS\system32\yljypvpc.exe
2008-05-07 05:53:28 2112 --a------ C:\WINDOWS\system32\paasxwyw.exe
2008-05-06 17:41:19 281600 -----n--- C:\WINDOWS\system32\qoMdcYqq.dll
2008-05-06 17:36:15 38400 -----n--- C:\WINDOWS\system32\vtUlIbcY.dll
2008-05-02 20:43:35 0 d-------- C:\Program Files\SurfingAdvisor
2008-04-30 08:57:05 0 dr-hs---- C:\Recycled

-- Find3M Report ---------------------------------------------------------------

2008-05-20 13:42:45 512 --a------ C:\ScanSectorLog.dat
2008-05-19 13:38:40 4212 --ah----- C:\WINDOWS\system32\zllictbl.dat
2008-05-13 16:38:03 0 d-------- C:\Program Files\Yahoo!
2008-05-12 00:03:08 0 d-------- C:\Program Files\PowerISO
2008-05-08 18:13:41 0 d-------- C:\Program Files\LimeWire
2008-05-08 14:12:37 0 d-------- C:\Documents and Settings\IVAN GONZALEZ\Application Data\uTorrent
2008-05-05 10:59:00 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-02 20:38:46 0 d-------- C:\Documents and Settings\IVAN GONZALEZ\Application Data\LimeWire
2008-04-29 22:13:46 84088 --a------ C:\Documents and Settings\IVAN GONZALEZ\Application Data\GDIPFONTCACHEV1.DAT
2008-04-18 02:22:52 0 d-------- C:\Program Files\epson
2008-04-16 01:39:38 0 d-------- C:\Program Files\Google
2008-04-15 19:56:30 0 d-------- C:\Program Files\Java
2008-04-09 11:13:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-08 12:16:11 0 d-------- C:\Program Files\Online Services
2008-03-22 22:41:38 0 d-------- C:\Program Files\Skype
2008-03-22 22:41:37 0 d-------- C:\Program Files\Common Files
2008-03-22 22:37:44 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-22 22:35:45 0 d-------- C:\Program Files\Sony
2008-03-20 18:24:27 0 d-------- C:\Program Files\Guitar Pro 5

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A178511E-E76E-4779-B379-46064ADBA1C4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F37ECA-A8D9-4633-92C6-FE24C7D16ABA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 12:29 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [04/20/2003 12:08 AM]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [12/03/2007 03:21 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [03/14/2008 06:50 PM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/2007 01:02 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [10/13/2004 11:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [12/13/2007 08:10 PM]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [08/30/2007 06:43 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/03/2006 11:02 AM]
"ccleaner"="C:\Program Files\CCleaner\CCleaner.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11/8/2007 9:33:14 AM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk
backup=C:\WINDOWS\pss\Remocon Driver.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=C:\WINDOWS\pss\Timer Recording Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
C:\Program Files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
C:\WINDOWS\System32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
"C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
c:\program files\sony\vaio survey\surveysa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
c:\program files\support.com\client\lserver\server.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZZZ]
C:\WINDOWS\Sonysys\Eflyer\EFlyer_Popup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46867bee-f235-11db-9e12-000c6e3e4508}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- H:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af76ce77-3970-11dc-9e6b-000c6e3e4508}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{afef6370-4f44-11dc-9e74-000c6e3e4508}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(&0)\command- H:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8086afc-eefe-11db-9e0d-000c6e3e4508}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

-- End of Deckard's System Scanner: finished at 2008-05-20 23:10:49 ------------

Author: ivansga, Location: Mexico

Posted: Wed May 21, 2008 4:33 am Post subject:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.60GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.60GHz
Percentage of Memory in Use: 49%
Physical Memory (total/avail): 511.36 MiB / 258.67 MiB
Pagefile Memory (total/avail): 1250.57 MiB / 1064.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 15.01 GiB total, 2.17 GiB free.
D: is Fixed (NTFS) - 54.86 GiB total, 31.1 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (No Media)
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380011A - 74.53 GiB - 3 partitions
\PARTITION0 - Unknown - 4.66 GiB
\PARTITION1 (bootable) - Installable File System - 15.01 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 54.86 GiB - D:

\\.\PHYSICALDRIVE1 - Memory Stick Slot

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Security Suite Firewall v7.0.337.000 (Check Point, LTD.) Disabled
AV: ZoneAlarm Security Suite Antivirus v7.0.337.000 (Check Point, LTD.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe:*:Enabled:Age of Empires II"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"D:\\program files\\LimeWire\\LimeWire.exe"="D:\\program files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"D:\\program files\\BitDownload\\BitDownload.exe"="D:\\program files\\BitDownload\\BitDownload.exe:*:Enabled:Warez3"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\IVAN GONZALEZ\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VALUED-ECECF7F4
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\IVAN GONZALEZ
LOGONSERVER=\\VALUED-ECECF7F4
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\QuickTime\QTSystem\;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier";C:\Program Files\Common Files\Nero\Lib\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\IVANGO~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\IVANGO~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=VALUED-ECECF7F4
USERNAME=IVAN GONZALEZ
USERPROFILE=C:\Documents and Settings\IVAN GONZALEZ
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

IVAN GONZALEZ (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {09DA4F91-2A09-4232-AB8C-6BC740096DE3}
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> D:\program files\ConverterUninstall.exe /CONVERTER
--> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Agere Systems AC'97 Modem --> agrsmdel
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AutoCAD 2008 - English --> C:\Program Files\AutoCAD 2008\Setup\Setup.exe /P {5783F2D7-6001-0409-0002-0060B0CE6BBA} /M ACAD
Autodesk DWF Viewer 7 --> MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}
BSPlayer --> "C:\Program Files\Webteh\BSPlayer\uninstall.exe"
Click to DVD 1.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C2F71B2-6C73-11D6-B659-00C04F790F76}\setup.exe"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DivX --> D:\program files\DivXCodecUninstall.exe /CODEC
DivX Converter --> D:\program files\ConverterUninstall.exe /CONVERTER
DivX Player --> D:\program files\DivXPlayerUninstall.exe /PLAYER
DivX Subtitle Displayer 5.00 --> "C:\Program Files\DivX Subtitle Displayer\unins000.exe"
DVD Creation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF005ABC-1422-4BEC-91C4-DD5935E56AAA}\setup.exe"
DVgate Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\setup.exe"
EPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /r
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
Giga Pocket 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59C61B54-2123-4B0E-8D5F-5DD1C7AE5421}\Setup.exe"
Giga Pocket Hardware Library 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0D490016-5D01-4CB3-A037-55814AC63D2E}\Setup.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Guitar Pro 5.2 --> "C:\Program Files\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Home Office Page for Experience VAIO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{374E48BA-CBC1-4134-86B9-7A97B0E76B2E}\setup.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java 2 Runtime Environment, SE v1.4.0_03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC1E4C93-C1E7-11D6-9D10-00010240CE95}\Setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
lacan --> C:\WINDOWS\uninst.exe -fd:\DeIsL1.isu -cd:\_ISREG32.DLL
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar) --> MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MP3 Player Utilities 3.61 --> MsiExec.exe /I{7784A172-61F1-445E-8368-601607E0DD22}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Music Visualizer Library 1.4.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\setup.exe" -l0x9
Nero 8 --> MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Network Smart Capture --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30642CE1-217B-40C0-92E2-6BF849599D9E}\setup.exe" -l0x9
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OnDemand5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F7DFDFA-27B3-4E06-BCDE-B371424C0032}\setup.exe" -l0x9
OneCare Advisor (Windows Live Toolbar) --> MsiExec.exe /X{53B2CFE9-A508-4457-B2CA-5D253536BFB7}
OpenMG Limited Patch 3.2-03-02-21-08 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-21-08\HotFixSetup\setup.exe /u
OpenMG Limited Patch 3.2-03-02-25-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-25-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62F33B80-6244-4A70-A233-0DA13B640364}\Setup.exe" -l0x9 UNINSTALL
PictureGear Studio 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27C5164D-ED0E-4D64-B788-93305BD62100}\setup.exe"
Popup Blocker (Windows Live Toolbar) --> MsiExec.exe /X{66A7A386-6F35-41A7-A731-101F0C0153C8}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Project64 1.6 --> MsiExec.exe /X{9559F7CA-5E34-4237-A2D9-D856464AD727}
PsicoDicc --> D:\Uninstal.exe
QuickTime --> MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Room Arranger --> "D:\Room Arranger\uninstall.exe"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sibelius Scorch --> MsiExec.exe /I{51C65CD6-A344-41B5-81E2-3CCAC8024F68}
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SonicStage 1.5.50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}\setup.exe" -l0x9 UNINSTALL
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Video Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SurfingAdvisor --> C:\Program Files\SurfingAdvisor\uninstall.exe
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Tabbed Browsing (Windows Live Toolbar) --> MsiExec.exe /X{47FBF7F9-FBD3-43EF-823B-7684D56C1962}
VAIO Help and Support --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}
VAIO Media 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\setup.exe" -l0x9 UNINSTALL
VAIO Media Music Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF733005-0F40-11D6-9254-0000F460E7A9}\setup.exe" -l0x9 UNINSTALL
VAIO Media Photo Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E30D77F-CE1B-4674-8AFB-0DE22E5AC3A8}\setup.exe" -l0x9
VAIO Media Platform 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF0DD6E9-F673-4466-8353-70B50A506FD9}\setup.exe"
VAIO Media Redistribution 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\setup.exe" -l0x9 UNINSTALL
VAIO Media Setup 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CCAC48E4-4B4D-43CB-ABB5-E817E39873B3}\setup.exe" -l0x9
VAIO Media Video Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63C6BABD-0BF7-488B-9AB5-B989E23CC581}\Setup.exe"
VAIO Registration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Remote Commander Utility 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4570E5E0-62A2-48BD-87F3-EB7232EC4558}\Setup.exe"
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
VAIO Survey Standalone --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CD7D5804-C157-48A6-AEE0-4A40A4B5C054}\setup.exe"
VAIO TV Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC763DAB-9DC6-4992-B952-ACF563D6F7E1}\setup.exe"
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Veo Advanced Connect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C44CB060-2AD1-11D6-BC84-00D0B7E10CD1}\SETUP.EXE"
Veo Digital Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45AEEA61-04F8-11D6-8B35-0080C8F5C4AA}\setup.exe"
VERITAS RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
VERITAS RecordNow Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type7031 / Error
Event Submitted/Written: 05/13/2008 05:18:37 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application spybotsd.exe, version 1.5.2.20, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [spybotsd.exe!ws!]

Event Record #/Type7028 / Error
Event Submitted/Written: 05/13/2008 03:37:39 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module xpcomevents.dll, version 0.0.0.0, fault address 0x0000a192.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type7004 / Error
Event Submitted/Written: 05/10/2008 06:05:38 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module unknown, version 0.0.0.0, fault address 0x01521568.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type6980 / Error
Event Submitted/Written: 05/08/2008 03:07:49 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module nss3.dll, version 3.11.5.0, fault address 0x000306df.
Processing media-specific event for [firefox.exe!ws!]

Event Record #/Type6979 / Error
Event Submitted/Written: 05/08/2008 03:02:42 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.40413, faulting module nss3.dll, version 3.11.5.0, fault address 0x000306df.
Processing media-specific event for [firefox.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type43364 / Warning
Event Submitted/Written: 05/20/2008 11:10:37 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type43363 / Warning
Event Submitted/Written: 05/20/2008 11:10:37 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type43362 / Warning
Event Submitted/Written: 05/20/2008 11:10:37 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type43361 / Warning
Event Submitted/Written: 05/20/2008 11:10:37 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

Event Record #/Type43360 / Warning
Event Submitted/Written: 05/20/2008 11:10:37 PM
Event ID/Source: 257 / PlugPlayManager
Event Description:
Timed out sending notification of target device change to window of "WndClass_CWinDrivesNotifyerHelperWindow"

-- End of Deckard's System Scanner: finished at 2008-05-20 23:10:49 ------------

Author: ivansga, Location: Mexico

Posted: Wed May 21, 2008 1:54 pm Post subject:

Scanning Report
Tuesday, May 20, 2008 23:24:37 - 08:35:20

Computer name: VALUED-ECECF7F4
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 10 malware found
Suspicious_F.gen (virus)

* C:\Program Files\WinRAR\winrar.3.x-universal.patch.exe (Submitted)

Tracking Cookie (spyware)

* System

Trojan:W32/LowZones.EN (virus)

* System
* C:\WINDOWS\system32\amvdrycu.exe
* C:\WINDOWS\system32\jgmipiwx.exe
* C:\WINDOWS\system32\nqpdocto.exe
* C:\WINDOWS\system32\paasxwyw.exe
* C:\WINDOWS\system32\rmwncfpb.exe
* C:\WINDOWS\system32\yljypvpc.exe

Vundo.gen38 (virus)

* C:\WINDOWS\system32\riuxcrsl.ini

Statistics
Scanned:

* Files: 388473
* System: 5362
* Not scanned: 185

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 10
* Submitted: 1

Files not scanned:

* PxIBERFIL.SYS C:\PAGEFILE.SYS
* C:\SCANSECTORLOG.DAT
* C:\WINDOWS\SYSTEM32\BIOS1.ROM
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.DAT
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.IDX
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX2.DAT
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX2.IDX
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MOZILLA\PROFILES\DEFAULT\RZIHJMCZ.SLT\CACHE\_CACHE_001_
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MOZILLA\PROFILES\DEFAULT\RZIHJMCZ.SLT\CACHE\_CACHE_002_
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPLICATION DATA\MOZILLA\PROFILES\DEFAULT\RZIHJMCZ.SLT\CACHE\_CACHE_003_
* C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
* C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update.exe
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update.exe
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\updspapi.dll
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update_SP2GDR.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update_SP2QFE.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update_SP1QFE.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update.url
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\update.ver
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\spcustom.dll
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\eula.txt
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\updatebr.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\branches.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\update\KB896428.cat
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\901d98c899726f2d1e49c234329550a9\BIT9.tmp\WindowsXP-KB896428-x86-ENU.psm
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\spmsg.dll
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\spuninst.exe
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\update\update.exe
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\update\updspapi.dll
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\update\update_SP2GDR.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\update\update_SP2QFE.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\update\update_SP1QFE.inf
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BIT1.tmp\update\update.url
* C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\6d23b8f719dc5412ac7aeb7db3387c36\BID��
* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\SCANSECTORLOG.DAT
* C:\WINDOWS\SYSTEM32\BIOS1.ROM
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.DAT
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX.IDX
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX2.DAT
* C:\WINDOWS\SYSTEM32\DRIVERS\FIDBOX2.IDX
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINDOWS\SYST�\

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-05-20
* F-Secure AVP: 7.0.171, 2008-05-21
* F-Secure Pegasus: 1.20.0, 2008-04-14
* F-Secure Blacklight: 1.0.68

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

Author: MauriceN,

Posted: Wed May 21, 2008 3:09 pm Post subject:

Hello Ivan,

The malwareteks website is back to normal (I just checked now). Do not know what happened the other day.
But please go there and get and apply the fix
The latest version is 1.3.14.4280

Download:
Use this URL to Download the latest version:
http://downloads.malwareteks.com/FixIEDef.exe

Mirrors: Alternate official download locations for FixIEDef.exe
http://it-mate.co.uk/downloads/fixiedef/fixiedef.exe
http://hosts-file.net/download/fixiedef/fixiedef.exe
http://avant.it-mate.co.uk/?c=Download&f=Tools/FixIEDef
http://archives.mysteryfcm.co.uk/?f=Security/AntiMalware/Antispyware/FixIEDef

Instructions:
Download FixIEDef.exe by ShadowPuterDude to the Desktop.

Double-click FixIEDef. Click 'OK' at the "About IEDef" message window.
At the next window, press "Scan"
Press OK at the alert message window.

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.

Click Exit once FixIEDef displays the All Finished message.

Reply with contents of the FixIEDef log file, located on the Desktop.

Author: MauriceN,

Posted: Wed May 21, 2008 4:24 pm Post subject:

Ivan,

Do this next, but only after FIXIEDef run from above.

This system has several trojans onboard, Zlob infections, and that's only after a very quick review. Let me make some observations first.
I only wished you'd run MBAM very early on. It noted several Vundo trojans. I can't tell now if you had selected the removal option. But, be that as it may .... do not delay in taking prompt actions that I suggest, since removing malware will take several passes, and more important the security of the pc is at definite risk.

For sure, do NOT do any free-wheeling web surfing. Minimize your online usage to only this forum and the websites I guide you to.

Consider that your personal information has been compromised, and your passwords lifted. So at some point (not on this pc though, while it is dirty) you'll need to change all your passwords. If you did any online shopping with credit cards, or did online banking, watch your statements very closely, and advise your bank you may be at risk for fraud.

There's an app which is really a trojan, "Browsing Advisor", that needs to be removed. Let's see if I can get you to take the first stab at it.
Bring up Control Panel, then Add-Remove Programs. Wait for the list of installed apps to populate the screen.
Look for Browsing Advisor, and de-install it. Close Add-Remove & Control Panel when done. If it it not there, let me know later, but continue on with the next steps.
>
Start Killbox . We're going to use it to delete some obvious trojans.
* Click on Tools > Delete Temp Files

* Check the following options:

Temporary Internet Files
Temp Files
XP Prefetch

If you want to delete Cookies, History, and list of recent files (MRU), run you may also check these boxes now.

* Click on Delete Selected Temp Files

Exclamation

Code:

C:\WINDOWS\system32\amvdrycu.exe
C:\WINDOWS\system32\jgmipiwx.exe
C:\WINDOWS\system32\nqpdocto.exe
C:\WINDOWS\system32\paasxwyw.exe
C:\WINDOWS\system32\rmwncfpb.exe
C:\WINDOWS\system32\yljypvpc.exe
C:\WINDOWS\system32\riuxcrsl.ini
C:\WINDOWS\system32\qoMdcYqq.dll
C:\WINDOWS\system32\vtUlIbcY.dll

Killbox will let you know if a file does not exist.
If you have any issues with this Paste from Clipboard method, you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot

Then let me know the results.
>
Next, we will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

CastleCops -> Trend Micro HijackThis Logs

All times are GMT

Goto page 1, 2 Next Page 1 of 2