Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:win32/vundo.gen!q


  • Please log in to reply
21 replies to this topic

#1 iMotivation

iMotivation

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 02 July 2008 - 10:51 PM

I downloaded a torrent file from btjunkie.org. The torrents name is "ImTOO iPod Computer Transfer v1 0 50 0928 Incl Keygen-ViRiLiTY". I then installed the file "ipod-computer-transfer.exe", which is 6MB. However, right at that moment the following happened prior to my being able to actually click the located where I wanted the program installed.

This is when I started to have the following problems, which occured and I discovered in this order:
1) Windows Defender identified a "severe threat" called "Trojan:WIN32/Vundo.gen!Q".
-My Response: I did a Quick Scan and it found nothing. I then did a Full Scan and it found the above mentioned "Trojan..." I tried to Quarantine/Deleted the threat, but Windows Defender could not, as it alerted me with an "Error message" indicating that it could quarantine/deleted the Trojan.

2) Windows Security Alerts then alerted me that I my Automatic Updating was not configured.
-My Response: I simply tried to set the Automatic Updates to recommended automatic update. Windows was unable to do this, I am assuming this is due to the Trojan.

To help fix my problem I followed the following steps from thisposted forum <http://www.atribune.org/forums/index.php?showtopic=4512> . Below are the steps I have done up to this point and I need further assistance, please.

1) Disabled my wireless, Windows Defender, Symantec Anti-Virus, Windows Firewall
2) Downloaded/Ran "ATF Cleaner" by Atribune from the link provided in the forum post mentioned above.
3) Downloaded/Installed/Ran the program "ComboFix" (I have the log.)
Note: Upon restart, this notice from Windows popped up/I have never seen it before: "Error loading C:\Windows\System32\svofevow.dll The specified module could not be found." The title of the window is "RunDLL".
4) Then I scanned "My Computer" using the Kaspersky Online Scanner (as suggested by this site.) (I have the log as well.)
*Note: I did uninstall the version of Sun Runtime Java Environment that I had, and installed the latest version from the site v6.6.
5) Then I downloaded/Ran Deckard's System Scanner (DSS). (I have the log.)
6) I have now enabled all the items that I disabled in step one above.

Here are the DSS reports: main.txt & extra.txt

Deckard's System Scanner v20071014.68
Run by Relax on 2008-07-02 19:53:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
5: 2008-07-02 21:30:26 UTC - RP385 - Installed Java™ 6 Update 6
4: 2008-07-02 21:28:32 UTC - RP384 - Removed Java™ SE Runtime Environment 6
3: 2008-07-02 20:31:43 UTC - RP383 - ComboFix created restore point
2: 2008-07-02 17:24:39 UTC - RP382 - Removed Nomad Jukebox Zen NX
1: 2008-07-02 16:29:14 UTC - RP380 - Last known good configuration


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Relax.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:23 PM, on 7/2/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Users\Relax\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Relax.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/ServiceLogi...mp;ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9272 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 SRTSPL - c:\windows\system32\drivers\srtspl.sys <Not Verified; Symantec Corporation; AutoProtect>
S4 KR10I - c:\windows\system32\drivers\kr10i.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>
S4 KR10N - c:\windows\system32\drivers\kr10n.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>
S4 KR3NPXP - c:\windows\system32\drivers\kr3npxp.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-02 and 2008-07-02 -----------------------------

2008-07-02 17:30:55 0 d-------- C:\Program Files\Common Files\Java
2008-07-02 16:35:45 53248 --a------ C:\Windows\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-07-02 16:31:13 68096 --a------ C:\Windows\zip.exe
2008-07-02 16:31:13 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-02 16:31:13 98816 --a------ C:\Windows\sed.exe
2008-07-02 16:31:13 80412 --a------ C:\Windows\grep.exe
2008-07-02 16:31:12 49152 --a------ C:\Windows\VFind.exe
2008-07-02 16:31:12 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-02 16:31:12 89504 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-02 16:31:02 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-02 13:32:52 0 d-------- C:\Program Files\Trend Micro
2008-07-02 13:13:49 0 d-------- C:\Program Files\iPod Access for Windows
2008-07-01 17:41:41 0 d-------- C:\Program Files\TezLink Agent
2008-07-01 17:22:17 0 d-------- C:\Users\Relax\SuperSync
2008-07-01 17:08:17 0 dr------- C:\Users\Guest\Searches
2008-07-01 17:08:08 0 dr------- C:\Users\Guest\Contacts
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Templates
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Start Menu
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\SendTo
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Recent
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\PrintHood
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\NetHood
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\My Documents
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Local Settings
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Cookies
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Application Data
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Videos
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Saved Games
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Pictures
2008-07-01 17:07:49 524288 --ahs---- C:\Users\Guest\NTUSER.DAT
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Music
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Links
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Favorites
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Downloads
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Documents
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Desktop
2008-07-01 17:07:49 0 d--h----- C:\Users\Guest\AppData
2008-06-19 20:41:36 0 d--hs---- C:\Diskeeper
2008-06-19 19:52:39 0 d-------- C:\Users\All Users\WindowsSearch
2008-06-19 19:00:21 0 d-------- C:\Users\All Users\Diskeeper Corporation
2008-06-19 19:00:18 0 d-------- C:\Program Files\Diskeeper Corporation
2008-06-19 17:56:12 0 d-------- C:\Program Files\Windows Journal
2008-06-18 23:45:54 0 d-------- C:\PerfLogs


-- Find3M Report ---------------------------------------------------------------

2008-07-02 19:50:34 0 d-------- C:\Users\Relax\AppData\Roaming\Skype
2008-07-02 17:33:10 0 d-------- C:\Program Files\Java
2008-07-02 17:30:55 0 d-------- C:\Program Files\Common Files
2008-07-02 16:42:05 0 d-------- C:\Users\Relax\AppData\Roaming\skypePM
2008-07-02 13:20:42 255 --a------ C:\Users\Relax\AppData\Roaming\iPod Access v4 Prefs
2008-07-02 13:15:53 47 --ah----- C:\Users\Relax\AppData\Roaming\iPodAccessv4_OwnerName
2008-07-02 13:14:50 11 --ah----- C:\Users\Relax\AppData\Roaming\iPodAccess_Time
2008-07-02 11:52:58 0 d-------- C:\Users\Relax\AppData\Roaming\WildTangent
2008-07-02 11:35:00 0 d-------- C:\Users\Relax\AppData\Roaming\uTorrent
2008-06-21 00:29:00 0 d-------- C:\Users\Relax\AppData\Roaming\WeatherBug
2008-06-19 18:54:13 0 d-------- C:\Users\Relax\AppData\Roaming\Mozilla
2008-06-19 00:00:21 174 --ahs---- C:\Program Files\desktop.ini
2008-06-18 23:49:06 0 d-------- C:\Program Files\Windows Sidebar
2008-06-18 23:49:06 0 d-------- C:\Program Files\Windows Calendar
2008-06-18 23:49:05 0 d-------- C:\Program Files\Movie Maker
2008-06-18 23:49:04 0 d-------- C:\Program Files\Windows Mail
2008-06-18 23:49:02 0 d-------- C:\Program Files\Windows Collaboration
2008-06-18 23:49:00 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-18 23:48:53 0 d-------- C:\Program Files\Windows Defender
2008-05-25 10:08:01 40 ---hs---- C:\Users\Relax\AppData\Roaming\.zreglib
2008-05-25 10:05:01 0 d-------- C:\Program Files\SlySoft
2008-05-25 08:56:58 0 d-------- C:\Users\Relax\AppData\Roaming\SlySoft
2008-05-21 00:21:21 0 d-------- C:\Program Files\Microsoft Silverlight


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 03:35 PM]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [04/10/2007 07:40 PM]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [09/11/2006 06:21 PM]
"RtHDVCpl"="RtHDVCpl.exe" [04/25/2007 02:14 PM C:\Windows\RtHDVCpl.exe]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [03/23/2006 12:42 AM]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [03/29/2007 01:39 PM]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [12/07/2006 07:49 PM]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [03/22/2007 02:46 PM]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [04/26/2007 09:56 PM]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [11/06/2006 08:14 PM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [05/21/2007 02:31 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [11/22/2006 05:12 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [11/28/2006 06:34 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/03/2008 10:51 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 03:40 PM]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [07/27/2007 07:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 11:16 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04/07/2006 03:02 PM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [02/01/2008 05:22 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/19/2008 03:33 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/19/2008 03:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\ctrun\ctrun.exe
readme\command- notepad \Readme.1st

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{214e5ade-f2c0-11dc-8805-001b3810fcdf}]
AutoRun\command- wd_windows_tools\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-02 19:58:52 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 X2 Mobile Technology TL-56
Percentage of Memory in Use: 45%
Physical Memory (total/avail): 1917.31 MiB / 1036.14 MiB
Pagefile Memory (total/avail): 4077.16 MiB / 2825.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1890.29 MiB

C: is Fixed (NTFS) - 147.58 GiB total, 55.68 GiB free.
D: is CDROM (UDF)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1637GSX ATA Device - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 1500 MiB
\PARTITION1 (bootable) - Installable File System - 147.58 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus v10.2.0.276 (Symantec Corporation)
AS: Symantec AntiVirus v10.2.0.276 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Relax\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IMOTIVATION
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Relax
LOCALAPPDATA=C:\Users\Relax\AppData\Local
LOGONSERVER=\\IMOTIVATION
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;C:\PROGRA~1\DISKEE~1\DISKEE~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4802
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Relax\AppData\Local\Temp
TMP=C:\Users\Relax\AppData\Local\Temp
USERDOMAIN=iMotivation
USERNAME=Relax
USERPROFILE=C:\Users\Relax
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Relax (admin)
Guest (new local, guest, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x9
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Atheros Driver Installation Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly
ATI Uninstaller --> C:\Program Files\ATI\CIM\Bin\Atisetup.exe -uninstall all
Bejeweled 2 Deluxe --> "C:\Program Files\TOSHIBA Games\Bejeweled 2 Deluxe\Uninstall.exe"
Blackhawk Striker 2 --> "C:\Program Files\TOSHIBA Games\Blackhawk Striker 2\Uninstall.exe"
Blasterball 3 --> "C:\Program Files\TOSHIBA Games\Blasterball 3\Uninstall.exe"
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Camera Assistant Software for Toshiba --> C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\setup.exe -runfromtemp -l0x0009
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe" -l0x9
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative Jukebox Driver --> C:\Windows\UNWISE.EXE C:\Windows\JB3DRV.LOG
Creative NOMAD Jukebox Zen Xtra --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66F324A1-BDC0-11D7-9E5C-00D0B76A8705}\SETUP.EXE" -l0x9
Desktop Dialer --> C:\Windows\unvise32.exe C:\Program Files\DesktopDialer\uninstal.log
Diner Dash - Flo on the Go --> "C:\Program Files\TOSHIBA Games\Diner Dash - Flo on the Go\Uninstall.exe"
Diskeeper 2008 Pro Premier --> MsiExec.exe /X{B695F0BF-D610-4C5E-B7AC-C9FF6C172CC0}
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD MovieFactory for TOSHIBA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\setup.exe" -l0x9
FATE --> "C:\Program Files\TOSHIBA Games\FATE\Uninstall.exe"
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Mah Jong Quest --> "C:\Program Files\TOSHIBA Games\Mah Jong Quest\Uninstall.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 7 Ultra Edition --> MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31033}
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
PCsync --> MsiExec.exe /X{3AF1FB80-21BD-4715-8EE2-AB77925519D9}
Penguins! --> "C:\Program Files\TOSHIBA Games\Penguins!\Uninstall.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler --> "C:\Program Files\TOSHIBA Games\Polar Bowler\Uninstall.exe"
Polar Golfer --> "C:\Program Files\TOSHIBA Games\Polar Golfer\Uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Samsung USB Driver (MCCI 4.34) WHQL v3.0 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FAD03728-DA19-4313-959F-872A9C432A86}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Symantec AntiVirus --> MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{DB780B85-B4B5-4864-A49C-9B706B169C93}\setup.exe -runfromtemp -l0x0409
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe" -l0x9
TOSHIBA ConfigFree --> C:\Program Files\InstallShield Installation Information\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
TOSHIBA Disc Creator --> MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER --> C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center --> C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x0409
TOSHIBA Flash Cards Support Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{620BBA5E-F848-4D56-8BDA-584E44584C5E}
TOSHIBA Game Console --> "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\Uninstall.exe"
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Media Center Game Console --> "C:\Program Files\TOSHIBA Games\TOSHIBA Media Center Game Console\Uninstall.exe"
TOSHIBA Music --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E9C4531-58C4-4349-AD2F-A4D999E451EC}\setup.exe" -l0x9 -removeonly
Toshiba Registration --> MsiExec.exe /I{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}
TOSHIBA SD Memory Utilities --> MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe" -l0x9 -removeonly
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Value Added Package --> C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type8141 / Success
Event Submitted/Written: 07/02/2008 04:39:59 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type8140 / Success
Event Submitted/Written: 07/02/2008 04:39:56 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type8135 / Success
Event Submitted/Written: 07/02/2008 04:39:43 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type8122 / Warning
Event Submitted/Written: 07/02/2008 04:37:09 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
4 user registry handles leaked from \Registry\User\S-1-5-21-2006963385-2361076624-1265950325-1000:
Process 1464 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000
Process 1464 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Process 1844 (\Device\HarddiskVolume2\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000\Software
Process 1844 (\Device\HarddiskVolume2\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000\Software\Policies

Event Record #/Type8110 / Error
Event Submitted/Written: 07/02/2008 03:56:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.9.0.3071, time stamp 0x483ebafb, faulting module MOZCRT19.dll, version 8.0.0.0, time stamp 0x483ebb90, exception code 0xc0000005, fault offset 0x000053b4,
process id 0xee4, application start time 0xfirefox.exe0.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type59230 / Error
Event Submitted/Written: 07/02/2008 04:40:09 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
vkquwexg

Event Record #/Type59186 / Error
Event Submitted/Written: 07/02/2008 04:40:09 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Parallel port driver%%1058

Event Record #/Type59145 / Error
Event Submitted/Written: 07/02/2008 04:39:56 PM
Event ID/Source: 21 / W32Time
Event Description:
The time service is configured to use one or more input providers, however, none of the input providers are available. The time service has no source of accurate time.

Event Record #/Type59144 / Error
Event Submitted/Written: 07/02/2008 04:39:56 PM
Event ID/Source: 4 / W32Time
Event Description:
The time provider 'NtpClient' failed to start due to the following error: Catastrophic failure (0x8000FFFF)

Event Record #/Type59141 / Error
Event Submitted/Written: 07/02/2008 04:39:36 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos



-- End of Deckard's System Scanner: finished at 2008-07-02 19:58:52 ------------

Here is the Kaspersky Online Scan Report:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 2, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 02, 2008 21:39:10
Records in database: 908160
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 120265
Threat name: 3
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:42:02


File name / Threat name / Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\QooBox\Quarantine\C\Windows\System32\byXOeCuV.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\Windows\System32\qoMgdeDW.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\Windows\System32\svofevow.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1

The selected area was scanned.


****Any additional information you may need please let me know. I thank you in advance for helping me.

BC AdBot (Login to Remove)

 


#2 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 03 July 2008 - 12:02 PM

I have continued to troubleshoot my computer. I have inserted what I have done personally to rid the Trojan, thus far:

1) Disabled my wireless, Windows Defender, Symantec Anti-Virus, Windows Firewall
2) Downloaded/Ran "ATF Cleaner" by Atribune from the link provided in the forum post mentioned above.
3) Downloaded/Installed/Ran the program "ComboFix" (I have the log.)
Note: Upon restart, this notice from Windows popped up/I have never seen it before: "Error loading C:\Windows\System32\svofevow.dll The specified module could not be found." The title of the window is "RunDLL".
4) Then I scanned "My Computer" using the Kaspersky Online Scanner (as suggested by this site.) (I have the log as well.)
*Note: I did uninstall the version of Sun Runtime Java Environment that I had, and installed the latest version from the site v6.6.
5) Then I downloaded/Ran Deckard's System Scanner (DSS). (I have the log.)
6) I have now enabled all the items that I disabled in step one above.
7) Installed Malwarebytes' Anti-Malware. No threats were found. (I have the log)
8) Installed Spybot Search & Destroy. No threats were found.
9) Microsoft Windows update. No updates pertaining to the Trojan were mentioned. My computer is up-to-date.
10) I tried to search my computer for the Trojan: keywords "trojan:win32/vundo.gen!Q" and "vundo.gen!Q". Nothing was found.

*Notes:
I have noticed web browsing (Firefox) and my overall laptop's performance and speed as deteriorated significantly and consistently. The speed of Firefox, I know, is directly correlated with my internet connection speed - which is slower than I am used to because I am at another person's house since I have had the Trojan/Virus.

Since I have downloaded and installed several applications, I am willing to do another scan or anything else needed to solve the problem. I can post those results at your request. Thank you again for helping me.

#3 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 July 2008 - 09:29 AM

I continued to troubleshoot my computer.

In normal mode, I ran Windows Defender to see if it would get rid of the file named "Trojan:WIN32/vundo.gen!Q". Amazingly, it was able to Quarantine the item. I then went to delete it via Windows Defender and it worked! I am not sure if I have managed to completely rid my computer of the virus. I am pretty sure I haven't, but I feel a lot more comfortable now. *Below I have included screen shots of Windows Defender ridding the virus.

Just to be on the safe side because I don't really want to reformat my hard drive, below is a HijackThis log up-to-date. If possible can you tell me if my computer looks clean???? I would greatly appreciate it. I can certainly scan my computer using DSS and Kaspersky Online Scanner as well for you to look at.

For those of you who are reading this: I troubleshooted my computer based on information from a variety of forums. Until someone e-mails me and/or replies on this forum, I am not considering my issue resolved because I am not an expert. I hope to get me answer soon...since I hope it requires very little troubleshooting for an expert.

Thank you in advance. I look forward to your prompt and expert advice! :thumbsup:

HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:21 AM, on 7/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Camera Assistant Software for

Toshiba\CEC_MAIN.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\helppane.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

https://www.google.com/accounts/ServiceLogin?

service=mail&passive=true&rm=false&continue=http%3A%2F%

2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%

3Dl&ltmpl=default&ltmplcache=2
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?

LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-

B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9

-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet

Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

(no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F}

- (no file)
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program

Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program

Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power

Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%

\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%

\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%

\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program

Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program

Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common

Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program

Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program

Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe"

/nosplash /minimized
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media

Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows

Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-

11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06

\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-

5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c

-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12

\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07}

- C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-

58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-

1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1

\GOEC62~1.DLL
O23 - Service: Agere Modem Call Progress Audio

(AgereModemAudio) - Agere Systems - C:\Windows\system32

\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. -

C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA

CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -

Symantec Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program

Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program

Files\TOSHIBA Games\TOSHIBA Game

Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program

Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1

\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7

\Nero BackItUp\NBService.exe
O23 - Service: pinger - Unknown owner -

C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program

Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) -

Safer Networking Ltd. - C:\Program Files\Spybot - Search &

Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner -

c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation -

C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA

Corporation - C:\Program Files\Toshiba\TOSHIBA DVD

PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) -

TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA

Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA

CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba

Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead

Systems, Inc. - C:\Program Files\Common Files\Ulead

Systems\DVD\ULCDRSvr.exe

--
End of file - 9770 bytes

===========================================================================
Screen Shots of Windows Defender ridding the virus are attached.

Attached Files



#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:40 PM

Posted 21 July 2008 - 12:06 PM

Hello iMotivation and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment, as well as that no wordwrap or anything is turned on so that it mungles the log like above. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 22 July 2008 - 08:02 PM

I did all the steps from the link mentioned. The problem that I am having right now that I can't fix is with my Toshiba quick buttons (the ones physically above my keyboard). I can't really tell if I have any other problems. I don't have any random pop ups and my computer is running relatively at the same speed it used to. I really appreciate you getting back to me. Below is the HijackThis log. Please let me know what you think. Thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:10 PM, on 7/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7347 bytes

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:40 PM

Posted 23 July 2008 - 12:02 PM

hi iMotivation,

before we can continue, I need you to please post the ComboFix.txt and the Kaspersky onlinescanner log. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 24 July 2008 - 07:37 AM

Here are the ComboFix and Kaspersky Onlinescanner Logs that I did when I was first infected. If you want me to do a current one, please let me know. I guess it would make more sense for a more current one...

ComboFix Log:
ComboFix 08-07-01.5 - Relax 2008-07-02 16:32:46.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.927 [GMT -4:00]
Running from: C:\Users\Relax\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\byXOeCuV.dll
C:\Windows\system32\qoMgdeDW.dll
C:\Windows\system32\svofevow.dll
C:\Windows\System32\WDedgMoq.ini
C:\Windows\System32\WDedgMoq.ini2
C:\Windows\system32\wovefovs.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 17:32 --------- d-----w C:\Program Files\Trend Micro
2008-07-02 17:23 --------- d-----w C:\Program Files\iPod Access for Windows
2008-07-02 15:59 --------- d-----w C:\Users\Relax\AppData\Roaming\Skype
2008-07-02 15:52 --------- d-----w C:\Users\Relax\AppData\Roaming\WildTangent
2008-07-02 15:35 --------- d-----w C:\Users\Relax\AppData\Roaming\uTorrent
2008-07-02 12:19 --------- d-----w C:\Users\Relax\AppData\Roaming\skypePM
2008-07-01 21:55 --------- d-----w C:\Program Files\TezLink Agent
2008-06-24 20:06 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-06-21 04:29 --------- d-----w C:\Users\Relax\AppData\Roaming\WeatherBug
2008-06-19 23:52 --------- d-----w C:\ProgramData\WindowsSearch
2008-06-19 23:00 --------- d-----w C:\ProgramData\Diskeeper Corporation
2008-06-19 23:00 --------- d-----w C:\Program Files\Diskeeper Corporation
2008-06-19 21:56 --------- d-----w C:\Program Files\Windows Journal
2008-06-19 04:00 174 --sha-w C:\Program Files\desktop.ini
2008-06-19 03:49 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-19 03:49 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-19 03:49 --------- d-----w C:\Program Files\Windows Mail
2008-06-19 03:49 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-19 03:49 --------- d-----w C:\Program Files\Windows Calendar
2008-06-19 03:48 --------- d-----w C:\Program Files\Windows Defender
2008-06-19 03:15 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-19 03:15 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-05-25 14:05 --------- d-----w C:\Program Files\SlySoft
2008-05-25 12:56 --------- d-----w C:\Users\Relax\AppData\Roaming\SlySoft
2008-05-21 04:21 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-15 21:51 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-10 01:33 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys
2008-04-26 08:08 1,314,816 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 04:35 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-04-23 04:42 428,544 ----a-w C:\Windows\System32\EncDec.dll
2008-04-23 04:42 293,376 ----a-w C:\Windows\System32\psisdecd.dll
2008-04-03 14:50 110,592 ----a-w C:\Windows\System32\SynTPCo4.dll
2008-04-03 14:14 151,552 ----a-w C:\Windows\System32\SynTPAPI.dll
2008-04-03 14:02 196,608 ----a-w C:\Windows\System32\SynCtrl.dll
2008-04-03 14:01 163,840 ----a-w C:\Windows\System32\SynCOM.dll
2008-03-16 21:46 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-16 21:46 32 ----a-w C:\ProgramData\ezsid.dat
2007-05-17 01:46 262,144 ----a-w C:\ProgramData\ntuser.dat
2007-08-23 02:20 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007082220070823\index.dat
2007-08-24 15:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007082420070825\index.dat
2007-10-02 23:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007100220071003\index.dat
2008-02-23 04:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022220080223\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2006-04-07 15:02 1343488]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 15:35 90112]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-04-10 19:40 413696]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006-09-11 18:21 180224]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 00:42 438272]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-06 20:14 34352]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-21 14:31 1862144]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 17:12 107112]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-11-28 06:34 134808]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-03 10:51 1045800]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-07-27 07:00 204800]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-25 14:14 4444160 C:\Windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\vio\dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{55EF6078-6410-421F-9A06-C168661A99C8}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{B2DB337A-8E42-4F42-8678-DA062F1EFE2D}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{837B41F6-CC06-4D0A-BD25-D98137FAF7ED}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{D02AC3ED-2D61-4B74-A8D4-C086877EF032}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{56616D54-7AE0-45DA-81E3-4D6257BBAD26}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{C6A277A4-435E-4CEC-B183-B5BBC45AE493}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"{8FDE31FF-77CB-4B7E-98E2-FEFC63707253}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4167D6AE-45F6-4588-8C7C-EAA3E1CD8690}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{699B2272-6408-4F3D-9930-8010717D6095}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{A35F159F-45FA-4DEC-B7F8-5AE7F12EE378}C:\\program files\\itunes\\itunes.exe"= UDP:C:\program files\itunes\itunes.exe:iTunes
"UDP Query User{A9A5D58F-B763-4068-8EF4-AD48A750CA85}C:\\program files\\itunes\\itunes.exe"= TCP:C:\program files\itunes\itunes.exe:iTunes
"TCP Query User{AA6BDF4B-AEE3-4B82-B3D8-3A88716B77F8}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{857EF126-F784-4663-87A3-EF5872A7EF81}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{C6B41D49-B300-4F3F-B6DD-0D9708EACF08}C:\\program files\\laplink\\pcsync\\sfthost.exe"= UDP:C:\program files\laplink\pcsync\sfthost.exe:PCsync Host Module
"UDP Query User{C7FC70AA-C670-4F28-AE9E-58465F1288C8}C:\\program files\\laplink\\pcsync\\sfthost.exe"= TCP:C:\program files\laplink\pcsync\sfthost.exe:PCsync Host Module
"TCP Query User{DC94C54D-9850-4266-8BF8-909EFD3B5AE7}C:\\program files\\laplink\\pcsync\\pcsync.exe"= UDP:C:\program files\laplink\pcsync\pcsync.exe:Laplink PCsync
"UDP Query User{D27BE0DC-5526-4453-9BC4-038CC6FF38D6}C:\\program files\\laplink\\pcsync\\pcsync.exe"= TCP:C:\program files\laplink\pcsync\pcsync.exe:Laplink PCsync
"{09D4618E-9330-40CF-8638-216771B5BC59}"= UDP:10001:bittorrent1001
"{1B30240A-909A-4DB4-8615-3801BC104561}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9E91714D-B135-4BFC-A4F1-90DA1B131C1F}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{43E171BD-9868-458A-85B2-5C1332B9BF4C}"= UDP:53620:utorrent53620
"{5BA9793D-A4A0-4CEC-8B33-2DAD0706951E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{6539364D-F6BD-4214-A620-CD7F9A78188C}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{6DB5F5DB-A926-4F2F-931C-F7503F20BAF3}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{BAC06B04-C660-4C84-A84E-6974DDF34FEF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{926D5C3F-56B6-49C9-9F5B-7CE3907E16F5}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{757DFD6A-7BEE-4D82-BFDD-A0DC2EB6AAB2}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"TCP Query User{E460A89D-C526-494E-A3A5-FD8EF52728E3}C:\\program files\\supersync demo\\supersync.exe"= UDP:C:\program files\supersync demo\supersync.exe:SuperSync
"UDP Query User{895B5695-1A15-4DA7-8842-6D3409B6D755}C:\\program files\\supersync demo\\supersync.exe"= TCP:C:\program files\supersync demo\supersync.exe:SuperSync
"TCP Query User{A90BDEE1-0223-4C3F-A8C3-EDC382A05E42}C:\\program files\\tezlink agent\\tezlink agent.exe"= UDP:C:\program files\tezlink agent\tezlink agent.exe:TezLink Agent
"UDP Query User{A6C711BE-F763-42A7-8EE9-A9A8460C1B7A}C:\\program files\\tezlink agent\\tezlink agent.exe"= TCP:C:\program files\tezlink agent\tezlink agent.exe:TezLink Agent
"{B93A0D04-4B8A-4597-BA40-2C8B7B9EFB11}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{4F4C6CB1-1AA5-4141-913F-53A1364CA4EF}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= C:\TOSHIBA\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-04-25 01:07]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe" [2007-11-09 18:59]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\shell\AutoRun\command - D:\ctrun\ctrun.exe
\shell\readme\command - notepad \Readme.1st

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{214e5ade-f2c0-11dc-8805-001b3810fcdf}]
\shell\AutoRun\command - wd_windows_tools\setup.exe

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-HWSetup - \HWSetup.exe
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-1a3e3093 - C:\Windows\system32\svofevow.dll
HKLM-Run-NDSTray.exe - NDSTray.exe
ShellExecuteHooks-{FE27E908-4C06-4BAE-88A0-655D0CE752CB} - C:\Windows\system32\byXOeCuV.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 16:40:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Program Files\Common Files\Symantec Shared\SPBBC\2008-06-21-4c4a.kc

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\Ati2evxx.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\System32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-07-02 16:45:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 20:45:29

The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 66,678,337,536 bytes free

217 --- E O F --- 2008-07-02 02:59:21


Kaspersky Onlinescanner Log:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, July 2, 2008
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, July 02, 2008 21:39:10
Records in database: 908160
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 120265
Threat name: 3
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:42:02


File name / Threat name / Threats count
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\QooBox\Quarantine\C\Windows\System32\byXOeCuV.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\Windows\System32\qoMgdeDW.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\Windows\System32\svofevow.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN Infected: Trojan-Dropper.Win32.Agent.rub 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1
C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN Infected: Trojan-Downloader.Win32.VB.bvd 1

The selected area was scanned.

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:40 PM

Posted 25 July 2008 - 03:35 AM

Hi iMotivation,

apologies for the delay. I was out and about last night til midnight. Just some basics:

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.

The problem that I am having right now that I can't fix is with my Toshiba quick buttons (the ones physically above my keyboard).

We will try installing the software for it again later. Lets see if we can rid you of the left overs first.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent, bittorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Step #2

Now please empty the quarantine of your Symantec Antivirus via its Control Panel (see if this helps).

Step #3

Delete the ComboFix.exe from your Desktop.

Step #4

Can you please have a look if the extra.txt file created by DSS is present in the C:\Deckard\System Scanner folder? I really want that log.
If you cannot find the log, then please do the following:
  • Close all programs and/or windows so that you have nothing open and are at your Desktop.
  • Click on Start, then click on Run.
  • In the Open: field copy and paste the entire contents inside the CODE box below and press the OK button.

    "%userprofile%\Desktop\dss.exe" /config

    This will open up DSS configuration.
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • When finished, please post back both logs that open in Notepad: main.txt and extra.txt.
Step #5

Please post back with the main.txt and extra.txt from the DSS scan. Thanks!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 26 July 2008 - 09:59 AM

Thank you for all the information! I really appreciate your support. Here is what I did:

1)I installed the latest version of Java from the provided link. This was the name of the file and its execute:

JDK 6 Update 7
The Java SE Development Kit (JDK) includes the Java Runtime Environment (JRE) and command-line development tools that are useful for developing applets and applications.
jdk-6u7-windows-i586-p.exe

2)I tried my best to delete the quarantined items from Symantec.
3) I believe I already deleted the combofix.exe file from my desktop using the steps provided in your Removal of Malware Guide
4) I did a current Deckard System Scan.
The following are the main.txt and extra.txt reports:

Main.txt:
Deckard's System Scanner v20071014.68
Run by Relax on 2008-07-26 10:42:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
6: 2008-07-26 14:08:16 UTC - RP408 - Installed Java™ 6 Update 7
5: 2008-07-26 14:02:51 UTC - RP407 - Installed Java™ SE Development Kit 6 Update 7
4: 2008-07-26 13:56:43 UTC - RP406 - Removed Java™ 6 Update 6
3: 2008-07-25 20:47:51 UTC - RP405 - Windows Update
2: 2008-07-24 19:23:01 UTC - RP404 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-07-23 00:15:27 UTC - RP403 - Windows Update


Performed disk cleanup.



-- HijackThis (run as Relax.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:52 AM, on 7/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Users\Relax\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Relax.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = "http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7546 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080708-173800-166 O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
backup-20080708-173800-323 O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
backup-20080708-173800-572 O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S4 KR10I - c:\windows\system32\drivers\kr10i.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>
S4 KR10N - c:\windows\system32\drivers\kr10n.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>
S4 KR3NPXP - c:\windows\system32\drivers\kr3npxp.sys <Not Verified; TOSHIBA CORPORATION; TOSHIBA RAID>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe <Not Verified; TOSHIBA CORPORATION; ConfigFree™>
R2 TNaviSrv (TOSHIBA Navi Support Service) - c:\program files\toshiba\toshiba dvd player\tnavisrv.exe <Not Verified; TOSHIBA Corporation; TOSHIBA DVD Player>
R2 TODDSrv (TOSHIBA Optical Disc Drive Service) - c:\windows\system32\toddsrv.exe <Not Verified; TOSHIBA Corporation; TDCSrv Application>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\Windows\explorer.exe (pid 476)
2006-11-10 19:18:26 73728 --a------ C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll <Not Verified; Nero AG; Nero BackItUp>
2007-09-20 19:34:58 129024 --a------ C:\Program Files\WinRAR\RarExt.dll


-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 10:10:50 0 d-------- C:\Program Files\Sun
2008-07-26 10:03:16 0 d-------- C:\Program Files\Common Files\Java
2008-07-08 19:22:18 0 d-------- C:\Program Files\Lavasoft
2008-07-08 19:22:17 0 d-------- C:\Users\All Users\Lavasoft
2008-07-08 19:02:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 17:16:16 0 d-------- C:\Users\All Users\SecTaskMan
2008-07-08 08:34:03 0 d-------- C:\Program Files\Return to Castle Wolfenstein <RETURN~1>
2008-07-07 16:09:21 0 d-------- C:\Program Files\EA GAMES
2008-07-07 14:47:22 0 d-------- C:\VundoFix Backups
2008-07-04 09:49:01 0 d-------- C:\Program Files\SpywareBlaster
2008-07-03 11:53:52 0 d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-07-03 10:20:50 0 d-------- C:\Program Files\TagRename
2008-07-03 10:01:19 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-03 10:01:18 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-02 13:32:52 0 d-------- C:\Program Files\Trend Micro
2008-07-02 13:13:49 0 d-------- C:\Program Files\iPod Access for Windows
2008-07-01 17:41:41 0 d-------- C:\Program Files\TezLink Agent
2008-07-01 17:08:17 0 dr------- C:\Users\Guest\Searches
2008-07-01 17:08:08 0 dr------- C:\Users\Guest\Contacts
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Templates
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Start Menu
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\SendTo
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Recent
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\PrintHood
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\NetHood
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\My Documents
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Local Settings
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Cookies
2008-07-01 17:07:56 0 d--hs---- C:\Users\Guest\Application Data
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Videos
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Saved Games
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Pictures
2008-07-01 17:07:49 2097152 --ahs---- C:\Users\Guest\NTUSER.DAT
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Music
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Links
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Favorites
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Downloads
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Documents
2008-07-01 17:07:49 0 dr------- C:\Users\Guest\Desktop
2008-07-01 17:07:49 0 d--h----- C:\Users\Guest\AppData


-- Find3M Report ---------------------------------------------------------------

2008-07-26 10:10:28 0 d-------- C:\Program Files\Java
2008-07-26 10:03:16 0 d-------- C:\Program Files\Common Files
2008-07-22 20:15:36 0 d-------- C:\Users\Relax\AppData\Roaming\WeatherBug
2008-07-10 03:09:48 0 d-------- C:\Program Files\Windows Mail
2008-07-08 22:21:00 0 d-------- C:\Program Files\Google
2008-07-08 22:18:39 0 d-------- C:\Program Files\Symantec
2008-07-08 22:18:29 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-08 22:18:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-08 18:39:58 0 d-------- C:\Users\Relax\AppData\Roaming\uTorrent
2008-07-08 18:24:13 0 d-------- C:\Users\Relax\AppData\Roaming\Help
2008-07-08 17:59:33 0 d-------- C:\Program Files\MSECache
2008-07-08 15:45:26 0 d-------- C:\Users\Relax\AppData\Roaming\dvdcss
2008-07-07 16:24:24 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-07 15:33:57 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-07-04 09:57:53 0 d-------- C:\Users\Relax\AppData\Roaming\Skype
2008-07-04 08:07:00 0 d-------- C:\Users\Relax\AppData\Roaming\skypePM
2008-07-03 10:01:21 0 d-------- C:\Users\Relax\AppData\Roaming\Malwarebytes
2008-07-02 13:20:42 255 --a------ C:\Users\Relax\AppData\Roaming\iPod Access v4 Prefs
2008-07-02 13:15:53 47 --ah----- C:\Users\Relax\AppData\Roaming\iPodAccessv4_OwnerName
2008-07-02 13:14:50 11 --ah----- C:\Users\Relax\AppData\Roaming\iPodAccess_Time
2008-07-02 11:52:58 0 d-------- C:\Users\Relax\AppData\Roaming\WildTangent
2008-06-19 19:00:18 0 d-------- C:\Program Files\Diskeeper Corporation
2008-06-19 18:54:13 0 d-------- C:\Users\Relax\AppData\Roaming\Mozilla
2008-06-19 00:00:21 174 --ahs---- C:\Program Files\desktop.ini
2008-06-18 23:49:06 0 d-------- C:\Program Files\Windows Sidebar
2008-06-18 23:49:06 0 d-------- C:\Program Files\Windows Calendar
2008-06-18 23:49:05 0 d-------- C:\Program Files\Movie Maker
2008-06-18 23:49:02 0 d-------- C:\Program Files\Windows Collaboration
2008-06-18 23:49:00 0 d-------- C:\Program Files\Windows Photo Gallery
2008-06-18 23:48:53 0 d-------- C:\Program Files\Windows Defender
2008-05-25 10:08:01 40 ---hs---- C:\Users\Relax\AppData\Roaming\.zreglib


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [04/25/2007 02:14 PM C:\Windows\RtHDVCpl.exe]
"SVPWUTIL"="C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe" [03/23/2006 12:42 AM]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [03/29/2007 01:39 PM]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [12/07/2006 07:49 PM]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [04/26/2007 09:56 PM]
"KeNotify"="C:\Program Files\TOSHIBA\Utilities\KeNotify.exe" [11/06/2006 08:14 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/07/2006 08:25 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [08/05/2007 05:29 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04/07/2006 03:02 PM]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/19/2007 04:13 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"EnableUIADesktopToggle"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\ctrun\ctrun.exe
readme\command- notepad \Readme.1st

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64af247d-4b95-11dd-a97f-001b3810fcdf}]
AutoRun\command- E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{64af2756-4b95-11dd-a97f-001b3810fcdf}]
AutoRun\command- G:\Autorun.exe
dinstall\command- G:\Directx\dxsetup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8772 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-26 10:47:03 ------------

Extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: AMD Turion™ 64 X2 Mobile Technology TL-56
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1917.31 MiB / 1164.64 MiB
Pagefile Memory (total/avail): 4083.16 MiB / 3064.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.02 MiB

C: is Fixed (NTFS) - 147.58 GiB total, 76.57 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK1637GSX ATA Device - 149.05 GiB - 2 partitions
\PARTITION0 - Unknown - 1500 MiB
\PARTITION1 (bootable) - Installable File System - 147.58 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: Symantec AntiVirus v10.2.0.322 (Symantec Corporation)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Outdated
AS: Symantec AntiVirus v10.2.0.322 (Symantec Corporation)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine"
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"="C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Relax\AppData\Roaming
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=IMOTIVATION
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Relax
LOCALAPPDATA=C:\Users\Relax\AppData\Local
LOGONSERVER=\\IMOTIVATION
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem;C:\PROGRA~1\DISKEE~1\DISKEE~1
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4802
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Relax\AppData\Local\Temp
TMP=C:\Users\Relax\AppData\Local\Temp
USERDOMAIN=iMotivation
USERNAME=Relax
USERPROFILE=C:\Users\Relax
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Relax (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\InstallShield Installation Information\{A644254B-92F6-4970-8635-AB0775371E72}\setup.exe" --u:{A644254B-92F6-4970-8635-AB0775371E72}
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{622E6F16-0904-49B6-BBE1-4CC836314CCF}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{697AFC77-F318-4CD4-BF16-F50F4C1072DA}\setup.exe" -l0x9
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\UninstFl.exe -q
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Shockwave Player --> C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log
ALPS Touch Pad Driver --> C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Atheros Driver Installation Program --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x9 -removeonly
ATI Uninstaller --> C:\Program Files\ATI\CIM\Bin\Atisetup.exe -uninstall all
Bejeweled 2 Deluxe --> "C:\Program Files\TOSHIBA Games\Bejeweled 2 Deluxe\Uninstall.exe"
Blackhawk Striker 2 --> "C:\Program Files\TOSHIBA Games\Blackhawk Striker 2\Uninstall.exe"
Blasterball 3 --> "C:\Program Files\TOSHIBA Games\Blasterball 3\Uninstall.exe"
Bluetooth Stack for Windows by Toshiba --> MsiExec.exe /X{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}
Camera Assistant Software for Toshiba --> C:\Program Files\InstallShield Installation Information\{37C866E4-AA67-4725-9E95-A39968DD7960}\setup.exe -runfromtemp -l0x0009
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\setup.exe" -l0x9
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative Jukebox Driver --> C:\Windows\UNWISE.EXE C:\Windows\JB3DRV.LOG
Creative NOMAD Jukebox Zen Xtra --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{66F324A1-BDC0-11D7-9E5C-00D0B76A8705}\SETUP.EXE" -l0x9
Diner Dash - Flo on the Go --> "C:\Program Files\TOSHIBA Games\Diner Dash - Flo on the Go\Uninstall.exe"
Diskeeper 2008 Pro Premier --> MsiExec.exe /X{B695F0BF-D610-4C5E-B7AC-C9FF6C172CC0}
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
DVD MovieFactory for TOSHIBA --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}\setup.exe" -l0x9
FATE --> "C:\Program Files\TOSHIBA Games\FATE\Uninstall.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java™ SE Development Kit 6 Update 7 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160070}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Mah Jong Quest --> "C:\Program Files\TOSHIBA Games\Mah Jong Quest\Uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medal of Honor Allied Assault --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DEA94ED-915A-4834-A87E-388D012C8E02}\Setup.exe" -l0x9
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs --> MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (3.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
Nero 7 Ultra Edition --> MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31033}
oggcodecs 0.71.0946 --> C:\Program Files\illiminable\oggcodecs\uninst.exe
PCsync --> MsiExec.exe /X{3AF1FB80-21BD-4715-8EE2-AB77925519D9}
Penguins! --> "C:\Program Files\TOSHIBA Games\Penguins!\Uninstall.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Polar Bowler --> "C:\Program Files\TOSHIBA Games\Polar Bowler\Uninstall.exe"
Polar Golfer --> "C:\Program Files\TOSHIBA Games\Polar Golfer\Uninstall.exe"
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista --> C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Return to Castle Wolfenstein --> C:\PROGRA~1\RETURN~1\Uninstall\Unwise.exe /u C:\PROGRA~1\RETURN~1\Uninstall\Install.log
Samsung USB Driver (MCCI 4.34) WHQL v3.0 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{FAD03728-DA19-4313-959F-872A9C432A86}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spelling Dictionaries Support For Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{7C9E6E52-EB11-44DB-A761-82D5D873A8D9}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Tag&Rename 3.4.6 --> "C:\Program Files\TagRename\unins000.exe"
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{DB780B85-B4B5-4864-A49C-9B706B169C93}\setup.exe -runfromtemp -l0x0409
TOSHIBA Assist --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{12B3A009-A080-4619-9A2A-C6DB151D8D67}\setup.exe" -l0x9
TOSHIBA ConfigFree --> C:\Program Files\InstallShield Installation Information\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}\setup.exe -runfromtemp -l0x0009 uninstall -removeonly
TOSHIBA Disc Creator --> MsiExec.exe /X{5DA0E02F-970B-424B-BF41-513A5018E4C0}
TOSHIBA DVD PLAYER --> C:\Program Files\InstallShield Installation Information\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}\setup.exe -runfromtemp -l0x0009 -ADDREMOVE -removeonly
TOSHIBA Extended Tiles for Windows Mobility Center --> C:\Program Files\InstallShield Installation Information\{617C36FD-0CBE-4600-84B2-441CEB12FADF}\setup.exe -runfromtemp -l0x0409
TOSHIBA Flash Cards Support Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{620BBA5E-F848-4D56-8BDA-584E44584C5E}
TOSHIBA Game Console --> "C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\Uninstall.exe"
TOSHIBA Hardware Setup --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{5279374D-87FE-4879-9385-F17278EBB9D3} /l1033
TOSHIBA Media Center Game Console --> "C:\Program Files\TOSHIBA Games\TOSHIBA Media Center Game Console\Uninstall.exe"
TOSHIBA Music --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0E9C4531-58C4-4349-AD2F-A4D999E451EC}\setup.exe" -l0x9 -removeonly
Toshiba Registration --> MsiExec.exe /I{C53D16CC-E56F-47B8-906E-70AAF8EABB4F}
TOSHIBA SD Memory Utilities --> MsiExec.exe /X{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}
TOSHIBA Software Modem --> Tosmreg -U
TOSHIBA Software Upgrades --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{425A2BC2-AA64-4107-9C29-484245BBEA05}\setup.exe" -l0x9 -removeonly
TOSHIBA Speech System Applications --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}\Setup.exe" -l0x9
TOSHIBA Speech System SR Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{008D69EB-70FF-46AB-9C75-924620DF191A}\Setup.exe" -l0x9 UNINSTALL
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}\Setup.exe" -l0x9
TOSHIBA Supervisor Password --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE} /l1033
TOSHIBA Value Added Package --> C:\Program Files\InstallShield Installation Information\{FEDD27A0-B306-45EF-BF58-B527406B42C8}\setup.exe -runfromtemp -l0x0409
Update for Microsoft Office Outlook 2007 (KB952142) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb953463) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {1B78D541-9FF1-4330-ADD8-CED14F0C1E8E}
VideoLAN VLC media player 0.8.6d --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type9007 / Success
Event Submitted/Written: 07/26/2008 10:39:38 AM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type9004 / Success
Event Submitted/Written: 07/26/2008 10:39:30 AM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type8999 / Success
Event Submitted/Written: 07/26/2008 10:39:13 AM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type8988 / Warning
Event Submitted/Written: 07/26/2008 10:36:57 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
2 user registry handles leaked from \Registry\User\S-1-5-21-2006963385-2361076624-1265950325-1000_Classes:
Process 980 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000_CLASSES
Process 1868 (\Device\HarddiskVolume2\Windows\System32\spoolsv.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

Event Record #/Type8987 / Warning
Event Submitted/Written: 07/26/2008 10:36:56 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2006963385-2361076624-1265950325-1000:
Process 980 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2006963385-2361076624-1265950325-1000



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type69298 / Error
Event Submitted/Written: 07/26/2008 10:39:47 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Parallel port driver%%1058

Event Record #/Type69257 / Error
Event Submitted/Written: 07/26/2008 10:39:16 AM
Event ID/Source: 72 / Print
Event Description:
Windows could not initialize printer Journal Note Writer because the print processor JournalPrint could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Event Record #/Type69256 / Error
Event Submitted/Written: 07/26/2008 10:39:00 AM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type69238 / Warning
Event Submitted/Written: 07/26/2008 10:37:16 AM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:


Event Record #/Type69200 / Warning
Event Submitted/Written: 07/26/2008 09:14:10 AM
Event ID/Source: 19 / Microsoft-Windows-WHEA-Logger
Event Description:
10x120x940061000003e2080x500804e3060x0925625625625602561730435045520102FFFFFFFF03000200000002000000C2060000080E0D001A0708140000000000000000000000000000000000000000000000000000000000000000BDC407CF89B7184EB3C41F732CB57131FE6FF5E89C91C54CBA8865ABE14913BB0F958DF5DCECC80100000000000000000000000000000000000000000000000058010000C00000000102000001000000ADCC7698B447DB4BB65E16F193C4F3DB0000000000000000000000000000000002000000000000000000000000000000000000000000000018020000920200000102000000000000D5560F3986CA494695C473A408AE583400000000000000000000000000000000020000000000000000000000000000000000000000000000AA040000180200000102000000000000E95412E7B9C14049AB76909703A4320F00000000000000000000000000000000020000000000000000000000000000000000000000000000D7010000000000000000000008000000820F040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000030100000000000001000000000000000008020101200000FFFB8B17B025E1810000000000000000000000000000000000000000000000000000000000000000B3F8F31CB1C5A249AA595EEF92FFA63C02000000000000009F073DE20300000006E3040850000000000000000000000000000000000000000000000000000000010008008001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000045725074000000001802000000010000000000000000000000000000000000000000000002000000000000000100000000000000020000000100000000000000D7010000000000000000000008000000820F0400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000920300000100000001000000605DB37C21EFC8010000000000000000020000000000000008E203000061009406E304085000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000



-- End of Deckard's System Scanner: finished at 2008-07-26 10:47:03 ------------

#10 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 13 August 2008 - 04:53 PM

Hi. I haven't received a reply in a long time. Are my issues resolved?

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:40 PM

Posted 14 August 2008 - 12:19 AM

iMotivation,

I am very sorry. It seems I did not receive notification of your last reply. I have to go to work now and will be on a function after work, but shall reply late tonight or latest tomorrow morning my time.

Again, apologies for this. I have no idea how it slipped through :thumbsup: .

Yourhighness

- edit - can you please also give me an update on how your pc is doing?

Edited by Yourhighness, 14 August 2008 - 12:22 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:40 PM

Posted 14 August 2008 - 03:12 PM

Hi,

along with the above requested, please do the following steps:

Step #1

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Step #2

Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint Media Player

Step #3

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN
    C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN
    C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN
    C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN
    C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN
    C:\QooBox\Quarantine\C\Windows\System32\byXOeCuV.dll.vir
    C:\QooBox\Quarantine\C\Windows\System32\qoMgdeDW.dll.vir
    C:\QooBox\Quarantine\C\Windows\System32\svofevow.dll.vir
    C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN
    C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN
    C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN
    C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN
    C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN
  • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Edited by Yourhighness, 14 August 2008 - 03:14 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 16 August 2008 - 06:55 PM

Thank you for getting back to me. I wasn't sure if anyone was going to. I uninstalled all versions of Java and installed the one you indicated. OTMoveIt2 was able to successful remove the quarantined items. Below is the information you wanted from that program. Thank you very much for you help so far!

File/Folder C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN not found.
File/Folder C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN not found.
File/Folder C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN not found.
File/Folder C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN not found.
File/Folder C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN not found.
File/Folder C:\QooBox\Quarantine\C\Windows\System32\byXOeCuV.dll.vir not found.
File/Folder C:\QooBox\Quarantine\C\Windows\System32\qoMgdeDW.dll.vir not found.
File/Folder C:\QooBox\Quarantine\C\Windows\System32\svofevow.dll.vir not found.
File/Folder C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000\4BFED095.VBN not found.
File/Folder C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0000\59EF9EC0.VBN not found.
File/Folder C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\118C0001\59EF9F50.VBN not found.
File/Folder C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11C40000\57C57C3A.VBN not found.
File/Folder C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\125C0000\57DD0EEE.VBN not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08162008_195239

#14 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,935 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:10:40 PM

Posted 18 August 2008 - 04:24 PM

hi imotivation,

lets go on and do this:

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
    • Click into the text area, right-click and chose "select all" (or use ctrl+a)
    • Right-click again and chose "copy" (or ctrl+c)
    • Close Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#15 iMotivation

iMotivation
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 18 August 2008 - 06:26 PM

Here's the log.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3365 (20080818)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=58c45eae1af16a4a95425229a4f0bebd
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-18 11:15:05
# local_time=2008-08-18 07:15:05 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=309031
# found=0
# scan_time=4599




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users