Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Willpolo.vbs


  • This topic is locked This topic is locked
2 replies to this topic

#1 catalina_buga

catalina_buga

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:iasi
  • Local time:12:08 PM

Posted 15 April 2008 - 03:29 PM

hello i'm stuck with some kind of virus(willpolo.vbs- Generic Scriptworm.790130B9---- this is what bitdefender shows me when i perform a scan).it keeps poping up.i've tried to delete it with no succes. please tell me what to do. thank you :thumbsup:

Deckard's System Scanner v20071014.68
Run by Florin Lupu on 2004-04-15 23:11:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2004-04-15 20:11:49 UTC - RP9 - Deckard's System Scanner Restore Point
7: 2004-04-15 19:48:09 UTC - RP8 - Uniblue RegistryBooster
6: 2004-04-15 08:18:46 UTC - RP7 - Installed Microsoft Office XP Professional with FrontPage
5: 2004-04-15 08:14:11 UTC - RP6 - Installed Microsoft Office XP Professional with FrontPage
4: 2004-04-14 19:12:28 UTC - RP5 - Installed Windows Media Format 9 Series Runtime Setup


-- First Restore Point --
1: 2004-04-14 18:41:26 UTC - RP2 - Update to an unsigned driver


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2004-04-15 23:13:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\TV Capture Card\RecSche.EXE
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdoesrv.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender8\vsserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Documents and Settings\Florin Lupu\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Piraté par WillPolo ---- Ingénieur en hacking -------- bleep u ----------
O4 - HKLM\..\Run: [WillPolo] C:\WINDOWS\WillPolo.vbs
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RecSche] C:\TV Capture Card\RecSche.exe /Startup
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender8\bdnagent.exe
O4 - HKLM\..\Run: [BDSwitchAgent] C:\Program Files\Softwin\BitDefender8\\bdswitch.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{CA589C75-CB19-44DA-B2AC-3E8940E1A8DA}: NameServer = 86.124.48.98 86.124.48.50
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: sockspy.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender8\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


--
End of file - 5359 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Cap7134 (TV Capture Card WDM Video Capture) - c:\windows\system32\drivers\cap7134.sys <Not Verified; Animation Technologies Inc.; LifeView FlyVideo>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
R3 PhTVTune (TV Capture Card WDM TV Tuner) - c:\windows\system32\drivers\phtvtune.sys <Not Verified; Animation Technologies Inc.; LifeView FlyVideo>

S2 FILESpy - c:\program files\softwin\bitdefender8\filespy.sys (file missing)
S2 OMSCAN - \sysy? (file missing)
S2 REGSpy - c:\program files\softwin\bitdefender8\regspy.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2004-03-15 and 2004-04-15 -----------------------------

2004-09-02 18:02:00 61440 --a------ C:\WINDOWS\system32\sockspy.dll
2004-08-04 00:56:44 181760 --a------ C:\WINDOWS\system32\Ir50_qcx.dll <Not Verified; Ligos Corporation; Ligos Indeo® Video 5.11 Quick Compressor>
2004-08-04 00:56:44 198144 --a------ C:\WINDOWS\system32\Ir50_qc.dll <Not Verified; Ligos Corporation; Ligos Indeo® Video 5.11 Quick Compressor>
2004-08-04 00:56:44 746496 --a------ C:\WINDOWS\system32\Ir50_32.dll <Not Verified; Ligos Corporation; Ligos Indeo XP (Indeo® Video 5.2)>
2004-04-15 22:47:05 0 d-------- C:\Documents and Settings\Florin Lupu\Application Data\Uniblue
2004-04-15 22:47:01 0 d-------- C:\Program Files\Uniblue
2004-04-15 15:34:59 0 d-------- C:\Documents and Settings\Florin Lupu\Application Data\Adobe
2004-04-15 11:43:13 0 d-------- C:\Documents and Settings\Florin Lupu\Application Data\Macromedia
2004-04-15 11:42:32 0 d---s---- C:\Documents and Settings\Florin Lupu\UserData
2004-04-15 11:41:45 11776 --a------ C:\WINDOWS\system32\3.dat <Not Verified; ; Basic Example Plugin for Mozilla>
2004-04-15 11:41:44 139 --a------ C:\WINDOWS\system32\29.dat
2004-04-15 11:41:43 6656 --a------ C:\WINDOWS\system32\1801.dat
2004-04-15 00:04:35 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\Local Settings
2004-04-15 00:04:35 0 d--h----- C:\Documents and Settings\All Users.WINDOWS\Templates
2004-04-15 00:04:35 0 dr------- C:\Documents and Settings\All Users.WINDOWS\Start Menu
2004-04-15 00:04:35 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Favorites
2004-04-15 00:04:35 0 dr------- C:\Documents and Settings\All Users.WINDOWS\Documents
2004-04-15 00:04:35 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Desktop
2004-04-15 00:04:34 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\Templates
2004-04-15 00:04:34 0 dr------- C:\Documents and Settings\Default User.WINDOWS\Start Menu
2004-04-15 00:04:34 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\SendTo
2004-04-15 00:04:34 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\Recent
2004-04-15 00:04:34 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\PrintHood
2004-04-15 00:04:34 0 d--h----- C:\Documents and Settings\Default User.WINDOWS\NetHood
2004-04-15 00:04:34 0 d-------- C:\Documents and Settings\Default User.WINDOWS\My Documents
2004-04-15 00:04:34 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Favorites
2004-04-15 00:04:34 0 d-------- C:\Documents and Settings\Default User.WINDOWS\Desktop
2004-04-15 00:04:34 0 d---s---- C:\Documents and Settings\Default User.WINDOWS\Cookies
2004-04-15 00:02:59 0 dr-h----- C:\Documents and Settings\Default User.WINDOWS\Application Data
2004-04-15 00:02:59 0 d---s---- C:\Documents and Settings\Default User.WINDOWS\Application Data\Microsoft
2004-04-15 00:02:58 0 dr-h----- C:\Documents and Settings\All Users.WINDOWS\Application Data
2004-04-15 00:02:58 0 d---s---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2004-04-14 22:40:28 2916352 -----n--- C:\WINDOWS\UNNMP.exe <Not Verified; Nero AG; Nero Web Engine>
2004-04-14 22:13:34 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2004-04-14 22:12:05 2969600 -----n--- C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero AG; Nero Web Engine>
2004-04-14 22:11:36 364544 -----n--- C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2004-04-14 22:11:36 471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2004-04-14 22:11:36 262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2004-04-14 22:11:36 1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2004-04-14 22:11:36 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2004-04-14 22:11:35 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2004-04-14 22:11:35 38912 -----n--- C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS>
2004-04-14 22:00:21 0 d-------- C:\NVIDIA
2004-04-14 21:57:09 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ACD Systems
2004-04-14 21:57:06 9856 --a------ C:\WINDOWS\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>
2004-04-14 21:42:00 19616 -ra------ C:\WINDOWS\system32\drivers\PhTVTune.sys <Not Verified; Animation Technologies Inc.; LifeView FlyVideo>
2004-04-14 21:41:35 32768 -ra------ C:\WINDOWS\system32\Prop7134.dll <Not Verified; Philips Semiconductors; Philips CSH Prop7134>
2004-04-14 21:41:35 449888 -ra------ C:\WINDOWS\system32\drivers\Cap7134.sys <Not Verified; Animation Technologies Inc.; LifeView FlyVideo>
2004-04-14 21:31:22 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2004-04-14 21:31:22 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2004-04-14 21:31:21 978944 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2004-04-14 21:31:20 380928 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2004-04-14 21:31:19 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2004-04-14 21:31:19 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2004-04-14 21:31:19 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2004-04-14 21:31:17 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2004-04-14 21:31:14 44 --a------ C:\WINDOWS\system32\msssc.dll
2004-04-14 21:31:14 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2004-04-14 21:31:14 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2004-04-14 21:28:16 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2004-04-14 21:28:08 0 d-------- C:\Documents and Settings\Florin Lupu\WINDOWS
2004-04-14 21:27:51 5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2004-04-14 21:25:53 6848 -rahs---- C:\WINDOWS\WillPolo.vbs
2004-04-14 21:23:33 0 d-------- C:\Documents and Settings\Florin Lupu\Application Data\Identities
2004-04-14 21:23:14 0 dr-h----- C:\Documents and Settings\Florin Lupu\Application Data
2004-04-14 21:23:13 0 d--h----- C:\Documents and Settings\Florin Lupu\Templates
2004-04-14 21:23:13 0 dr------- C:\Documents and Settings\Florin Lupu\Start Menu
2004-04-14 21:23:13 0 dr-h----- C:\Documents and Settings\Florin Lupu\SendTo
2004-04-14 21:23:13 0 dr-h----- C:\Documents and Settings\Florin Lupu\Recent
2004-04-14 21:23:13 0 d--h----- C:\Documents and Settings\Florin Lupu\PrintHood
2004-04-14 21:23:13 1310720 --ah----- C:\Documents and Settings\Florin Lupu\NTUSER.DAT
2004-04-14 21:23:13 0 d--h----- C:\Documents and Settings\Florin Lupu\NetHood
2004-04-14 21:23:13 0 dr------- C:\Documents and Settings\Florin Lupu\My Documents
2004-04-14 21:23:13 0 d--h----- C:\Documents and Settings\Florin Lupu\Local Settings
2004-04-14 21:23:13 0 dr------- C:\Documents and Settings\Florin Lupu\Favorites
2004-04-14 21:23:13 0 d-------- C:\Documents and Settings\Florin Lupu\Desktop
2004-04-14 21:23:13 0 d---s---- C:\Documents and Settings\Florin Lupu\Cookies
2004-04-14 21:21:14 262144 --ah----- C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT
2004-04-14 21:21:14 0 d--h----- C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings
2004-04-14 21:21:14 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies
2004-04-14 21:21:14 0 d-------- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data
2004-04-14 21:21:14 0 d---s---- C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\Microsoft
2004-04-14 21:21:03 262144 --ah----- C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT
2004-04-14 21:21:03 0 d--h----- C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings
2004-04-14 21:21:03 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies
2004-04-14 21:21:03 0 d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data
2004-04-14 21:21:03 0 d---s---- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Microsoft
2004-04-14 21:18:24 225280 ---h----- C:\Documents and Settings\Default User.WINDOWS\NTUSER.DAT
2004-04-14 21:16:41 0 d--hs---- C:\Documents and Settings\All Users.WINDOWS\DRM
2004-04-14 21:14:10 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Find3M Report ---------------------------------------------------------------

2004-04-15 23:14:42 6848 -rahs---- C:\WillPolo.vbs
2004-04-15 00:04:34 62 --ahs---- C:\Documents and Settings\Florin Lupu\Application Data\desktop.ini
2004-04-14 22:39:57 0 d-------- C:\Program Files\Common Files\LightScribe
2004-04-14 22:31:03 0 d-------- C:\Program Files\Ahead
2004-04-14 22:06:19 0 d-------- C:\Program Files\WinISO
2004-04-14 22:03:47 0 d-------- C:\Program Files\Winamp
2004-04-14 22:00:05 0 d-------- C:\Program Files\K-Lite Codec Pack
2004-04-14 21:57:20 0 d-------- C:\Program Files\Common Files\ACD Systems
2004-04-14 21:13:33 0 d-------- C:\Program Files\Messenger
2004-04-13 05:02:31 0 d-------- C:\Program Files\BitComet
2004-03-26 06:35:18 0 d-------- C:\Program Files\oDC
2004-03-14 11:20:58 0 d-------- C:\Program Files\ImTOO
2004-03-14 11:02:50 0 d-------- C:\Program Files\Xilisoft
2004-03-13 22:19:25 0 d-------- C:\Program Files\Plato Video To 3GP Converter
2004-03-09 07:19:47 0 d-------- C:\Program Files\LG Electronics
2004-03-09 07:19:47 0 d--h----- C:\Program Files\InstallShield Installation Information
2004-03-09 07:18:51 0 d-------- C:\Program Files\LGE GSM PC Sync


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WillPolo"="C:\WINDOWS\WillPolo.vbs" [04/15/2004 11:14 PM]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [05/05/2003 08:57 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/24/2004 10:04 AM]
"nwiz"="nwiz.exe" [03/24/2004 10:04 AM C:\WINDOWS\system32\nwiz.exe]
"RecSche"="C:\TV Capture Card\RecSche.exe" [12/11/2002 07:00 PM]
"WinDVRCtrl"="C:\WINDOWS\WDVRCtrl.exe" []
"ScanRegistry"="C:\W" []
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe" [04/15/2004 11:50 AM]
"BDOESRV"="C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe" [04/15/2004 11:50 AM]
"BDNewsAgent"="C:\Program Files\Softwin\BitDefender8\bdnagent.exe" [04/15/2004 11:50 AM]
"BDSwitchAgent"="C:\Program Files\Softwin\BitDefender8\\bdswitch.exe" [04/15/2004 11:50 AM]
"Device Detector"="C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" [09/17/2003 05:39 PM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [03/24/2004 10:04 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [11/14/2003 11:14 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/05/2005 08:35 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [04/02/2008 09:49 AM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= sockspy.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9950e22c-8f07-11d8-9347-0050fce1aa93}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe WillPolo.vbs




-- End of Deckard's System Scanner: finished at 2004-04-15 23:16:48 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ XP 2200+
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 511.53 MiB / 254.25 MiB
Pagefile Memory (total/avail): 1250.26 MiB / 975.91 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.3 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 5.09 GiB total, 0.86 GiB free.
D: is Fixed (FAT32) - 33.19 GiB total, 0.93 GiB free.
E: is Removable (FAT32)
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 38.29 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 5.09 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 33.2 GiB - D:

\\.\PHYSICALDRIVE1 - Corsair Flash Voyager USB Device - 3.75 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 3.75 GiB - E:



-- Security Center -------------------------------------------------------------

Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: BitDefender 8 Professional Plus v7.2 (Softwin)
AV: BitDefender 8 Professional Plus v7.2 (Softwin)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Florin Lupu\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-8C7274A700
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Florin Lupu
LOGONSERVER=\\HOME-8C7274A700
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\FLORIN~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\FLORIN~1\LOCALS~1\Temp
USERDOMAIN=HOME-8C7274A700
USERNAME=Florin Lupu
USERPROFILE=C:\Documents and Settings\Florin Lupu
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Florin Lupu (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNNMP.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee 6.0 PowerPack --> MsiExec.exe /I{38A0BB97-772D-422E-BCCA-4BA2A5D81F42}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
BitDefender 8 Professional Plus --> MsiExec.exe /I{5BBD5CAB-8775-4621-88D4-B5DEFF9FE878}
K-Lite Codec Pack 2.20 Full --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Display Driver --> C:\WINDOWS\system32\nvudisp.exe Uninstall C:\WINDOWS\system32\nvdisp.nvu,NVIDIA Display Driver
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Uniblue RegistryBooster 2 --> "C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
WinISO 5.3 --> "C:\Program Files\WinISO\unins000.exe"
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type86 / Warning
Event Submitted/Written: 04/15/2004 11:22:34 AM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv10, has been registered in the WMI namespace, Root\MSAPPS10, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type85 / Warning
Event Submitted/Written: 04/15/2004 11:22:34 AM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv10, has been registered in the WMI namespace, Root\MSAPPS10, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Event Record #/Type77 / Error
Event Submitted/Written: 04/15/2004 11:11:14 AM
Event ID/Source: 11305 / MsiInstaller
Event Description:
Product: Microsoft Office XP Professional with FrontPage -- Error 1305. Setup cannot read file C:\Program Files\Common Files\Microsoft Shared\Proof\MSWDS_EN.LEX. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see F:\FILES\PFILES\MSOFFICE\OFFICE10\1033\SETUP.HLP.

Event Record #/Type60 / Error
Event Submitted/Written: 04/14/2004 10:39:56 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application Setupx.exe, version 1.2.3.70, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type18 / Warning
Event Submitted/Written: 04/14/2004 09:17:28 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type640 / Error
Event Submitted/Written: 04/15/2004 10:44:39 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The REGSpy service failed to start due to the following error:
%%2

Event Record #/Type639 / Error
Event Submitted/Written: 04/15/2004 10:44:39 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The FILESpy service failed to start due to the following error:
%%2

Event Record #/Type630 / Error
Event Submitted/Written: 04/15/2004 10:44:34 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The REGSpy service failed to start due to the following error:
%%2

Event Record #/Type629 / Error
Event Submitted/Written: 04/15/2004 10:44:33 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The FILESpy service failed to start due to the following error:
%%2

Event Record #/Type628 / Error
Event Submitted/Written: 04/15/2004 10:44:33 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The OMSCAN service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2004-04-15 23:16:48 ------------

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:08 PM

Posted 15 April 2008 - 04:20 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9950e22c-8f07-11d8-9347-0050fce1aa93}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\WillPolo
    C:\WINDOWS\WillPolo.vbs
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


=================



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Also post a new hijackthis log.

Edited by Buckeye_Sam, 15 April 2008 - 04:20 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:08 PM

Posted 12 May 2008 - 09:09 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users