Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Locked Viruses, Please Help.


  • This topic is locked This topic is locked
6 replies to this topic

#1 Dizzylizard

Dizzylizard

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 16 April 2008 - 09:33 PM

I ran several virus scans (including AVG and Kaspersky) and spyware scans. AdAware and SbyBot S&D didn't find any spyware, AVG reported me clean, but Kaspersky's Online scanner reported 2 viruses it couldn't clean. Here are the logfiles:

-------------------------------------BEGIN KASPERSKY SCAN LOG--------------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 16, 2008 9:09:54 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/04/2008
Kaspersky Anti-Virus database records: 711370
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76606
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:30:41

Infected Object Name / Virus Name / Last Action
C:\Program Files\InstallShield Installation Information\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}\Setup.ilg Object is locked skipped
C:\Program Files\TightVNC-unstable\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
C:\Program Files\TightVNC-unstable\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.j skipped
C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.j skipped
C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe Inno: infected - 2 skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\$Acer$.cmd Object is locked skipped
C:\ProgramData\Microsoft\User Account Pictures\Shevonte.dat Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\Users\Dragon\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\UsrClass.dat{42fec25b-8690-11dc-a11e-001636f5153b}.TM.blf Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\UsrClass.dat{42fec25b-8690-11dc-a11e-001636f5153b}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows\UsrClass.dat{42fec25b-8690-11dc-a11e-001636f5153b}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows Defender\FileTracker\{39ABD7A8-FE0B-46E1-8379-1C8F1657D4D4} Object is locked skipped
C:\Users\Dragon\AppData\Local\Microsoft\Windows Defender\FileTracker\{D3017C67-CABE-43D9-B426-FFDBB8E457F7} Object is locked skipped
C:\Users\Dragon\ntuser.dat Object is locked skipped
C:\Users\Dragon\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Dragon\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Dragon\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf Object is locked skipped
C:\Users\Dragon\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Dragon\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Shevonte.Shevonte-PC\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Users\Shevonte.Shevonte-PC\AppData\Local\Temp\wmplog00.sqm Object is locked skipped
C:\Users\Shevonte.Shevonte-PC\AppData\Local\Temp\wmplog01.sqm Object is locked skipped
C:\Users\Shevonte.Shevonte-PC\AppData\Local\Temp\wmplog02.sqm Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Internet Logs\ZALog2008.04.15.txt Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{0751D7B5-C0D0-481B-AF0B-C08A3108DE11}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{e301144a-c536-11dc-94a0-001636f5153b}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{e301144a-c536-11dc-94a0-001636f5153b}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{e301144a-c536-11dc-94a0-001636f5153b}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{e301144a-c536-11dc-94a0-001636f5153b}.TxR.blf Object is locked skipped
C:\Windows\System32\Ikeext.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CorruptedFileRecovery-Server%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DateTimeControlPanel%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-MSDT%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticResolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Forwarding%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MeetingSpace%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Admin.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RemoteAssistance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winsock-WS2HELP%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\MSFWSVC.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Windows OneCare.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\tracing\BAP.LOG Object is locked skipped
C:\Windows\tracing\IpHlpSvc.LOG Object is locked skipped
C:\Windows\tracing\IPNATHLP.LOG Object is locked skipped
C:\Windows\tracing\KMDDSP.LOG Object is locked skipped
C:\Windows\tracing\NDPTSP.LOG Object is locked skipped
C:\Windows\tracing\PPP.LOG Object is locked skipped
C:\Windows\tracing\RASAPI32.LOG Object is locked skipped
C:\Windows\tracing\RASBACP.LOG Object is locked skipped
C:\Windows\tracing\RASCCP.LOG Object is locked skipped
C:\Windows\tracing\RASDLG.LOG Object is locked skipped
C:\Windows\tracing\RASEAP.LOG Object is locked skipped
C:\Windows\tracing\RASIPCP.LOG Object is locked skipped
C:\Windows\tracing\RASIPHLP.LOG Object is locked skipped
C:\Windows\tracing\RASMAN.LOG Object is locked skipped
C:\Windows\tracing\RASPAP.LOG Object is locked skipped
C:\Windows\tracing\RASQEC.LOG Object is locked skipped
C:\Windows\tracing\RASTAPI.LOG Object is locked skipped
C:\Windows\tracing\svchost_RASCHAP.LOG Object is locked skipped
C:\Windows\tracing\svchost_RASTLS.LOG Object is locked skipped
C:\Windows\tracing\tapi32.LOG Object is locked skipped
C:\Windows\tracing\tapisrv.LOG Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped

Scan process completed.
---------------------------------------------------------END KASPERSKY SCAN LOG----------------------------------------

-------------------------------------------BEGIN DSS LOG-------------------------------------------------------
------------------------MAIN-------------------------------
Deckard's System Scanner v20071014.68
Run by Dragon on 2008-04-16 21:18:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 3 Restore Point(s) --
3: 2008-04-16 20:18:13 UTC - RP272 - Ad-Aware Restore Point 2008-04-16 15:17:46
2: 2008-04-16 18:52:28 UTC - RP270 - Windows Update
1: 2008-04-15 04:34:13 UTC - RP269 - Installed AVG 7.5


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 502 MiB (1024 MiB recommended).


-- HijackThis (run as Dragon.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:46 PM, on 4/16/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system\w98eject.exe
C:\Users\Dragon\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\msascui.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Users\Dragon\Desktop\scanners\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\Trend Micro\HijackThis\Dragon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kaspersky.com/kos/eng/partner/us/kavwebscan.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: w98Eject.lnk = C:\Windows\system\w98eject.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcz_device - - C:\Windows\system32\lxczcoms.exe
O23 - Service: NetTime (NetTimeSvc) - Subjective Software - C:\Program Files\NetTime\NeTmSvNT.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 7273 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 GearAspiSys - c:\windows\system32\drivers\gearaspisys.sys <Not Verified; GEAR Software; GEAR.wrks>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ALaunchService (ALaunch Service) - c:\acer\alaunch\alaunchsvc.exe <Not Verified; ; ALaunchSvc Service Image>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 eRecoveryService (eRecovery Service) - c:\acer\empowering technology\erecovery\erecoveryservice.exe <Not Verified; Acer Inc.; eRecoveryService>
R2 NetTimeSvc (NetTime) - c:\program files\nettime\netmsvnt.exe <Not Verified; Subjective Software; NetTime>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel


-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-16 16:13:04 0 d-------- C:\Windows\system32\Kaspersky Lab
2008-04-16 14:49:41 0 d-------- C:\Program Files\CCleaner
2008-04-16 14:43:54 0 d-------- C:\Program Files\Trend Micro
2008-04-15 01:17:05 0 d-------- C:\Program Files\Sommestad
2008-04-15 01:16:06 0 d-------- C:\Program Files\Black Obelisk Software
2008-04-15 01:03:40 240944 --a------ C:\Windows\system32\RICHED.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-04-15 01:01:41 0 d-------- C:\Program Files\SLang 2
2008-04-13 17:33:43 96 --a------ C:\Windows\system32\pdfl.dat
2008-04-13 17:33:43 144 --a------ C:\Windows\system32\lkfl.dat
2008-04-13 17:33:43 96 --a------ C:\Windows\system32\ibfl.dat
2008-04-13 17:33:28 0 d-------- C:\Program Files\CheckPoint
2008-04-13 17:19:53 0 d-------- C:\Windows\system32\ZoneLabs
2008-04-06 16:53:54 0 d-------- C:\Program Files\Lavasoft
2008-04-06 16:51:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-06 15:34:36 0 d-------- C:\Users\Shevonte.Shevonte-PC\2008-04-06
2008-04-06 15:33:52 0 d-------- C:\Users\Shevonte.Shevonte-PC\New Folder
2008-04-02 22:15:38 0 d-------- C:\Users\Dragon\.fontconfig


-- Find3M Report ---------------------------------------------------------------

2008-04-16 14:46:37 0 d-------- C:\Program Files\Yahoo!
2008-04-16 13:43:43 0 d-------- C:\Users\Dragon\AppData\Roaming\AVG7
2008-04-13 22:19:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 20:24:36 0 d-------- C:\Program Files\Zinf
2008-04-13 20:20:27 0 d-------- C:\Program Files\WAV to AC3 Encoder (Win32 Unicode)
2008-04-13 19:53:04 0 d-------- C:\Users\Dragon\AppData\Roaming\InstallShield
2008-04-13 19:51:14 0 d-------- C:\Program Files\WinLibre
2008-04-13 19:45:30 0 d-------- C:\Program Files\NewTech Infosystems
2008-04-13 19:45:28 0 d-------- C:\Program Files\Common Files\NewTech Infosystems
2008-04-13 18:46:56 0 d-------- C:\Users\Dragon\AppData\Roaming\CheckPoint
2008-04-13 17:39:06 0 d-------- C:\Users\Dragon\AppData\Roaming\Grisoft
2008-04-13 17:06:47 0 d-------- C:\Users\Dragon\AppData\Roaming\BitTorrent
2008-04-12 20:37:08 0 d-------- C:\Users\Dragon\AppData\Roaming\Gtek
2008-04-12 20:35:40 0 d-------- C:\Program Files\Common Files
2008-04-09 03:07:59 0 d-------- C:\Program Files\Windows Mail
2008-04-06 17:02:23 0 d-------- C:\Users\Dragon\AppData\Roaming\OpenOffice.org2
2008-04-03 20:16:45 0 d-------- C:\Users\Dragon\AppData\Roaming\gtk-2.0
2008-04-01 11:39:34 0 d-------- C:\Program Files\Windows Live Safety Center
2008-04-01 02:19:16 0 d-------- C:\Program Files\MySpace
2008-03-08 20:39:42 0 d-------- C:\Program Files\Java
2008-02-25 16:08:13 0 d-------- C:\Program Files\iTunes
2008-02-25 16:08:00 0 d-------- C:\Program Files\iPod
2008-02-25 16:06:03 0 d-------- C:\Program Files\QuickTime
2008-02-24 21:55:40 833 --a------ C:\Windows\EReg072.dat
2008-02-24 20:40:16 0 d-------- C:\Program Files\Firaxis Games
2008-01-28 00:06:18 118784 --a------ C:\Windows\dsdxirmv.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/16/2006 01:45 AM]
"RtHDVCpl"="RtHDVCpl.exe" [12/01/2006 12:37 AM C:\Windows\RtHDVCpl.exe]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [10/18/2007 10:18 AM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [10/18/2007 10:18 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [01/09/2008 03:31 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [04/15/2008 06:43 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 07:34 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
w98Eject.lnk - C:\Windows\system\w98eject.exe [1/18/2008 2:05:30 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=C:\Windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
C:\Program Files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALaunch]
C:\Acer\ALaunch\AlaunchClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8387 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-16 21:22:39 ------------

-----------------------------END MAIN-----------------------------
-----------------------------BEGIN EXTRA.TXT-------------------
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Basic (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M CPU 520 @ 1.60GHz
Percentage of Memory in Use: 78%
Physical Memory (total/avail): 501.56 MiB / 105.33 MiB
Pagefile Memory (total/avail): 1493.22 MiB / 599.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.77 MiB

C: is Fixed (NTFS) - 33.51 GiB total, 12.75 GiB free.
D: is Fixed (NTFS) - 33.21 GiB total, 31.69 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800BEVS-22RST0 ATA Device - 74.53 GiB - 3 partitions
\PARTITION0 - Unknown - 7.81 GiB
\PARTITION1 (bootable) - MS-DOS V4 Huge - 33.51 GiB - C:
\PARTITION2 - Installable File System - 33.21 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.1.248.000 (Check Point, LTD.) Disabled
AV: AVG 7.5.524 v7.5.524 (Grisoft)
AS: Spybot - Search and Destroy v1.0.0.5 (Safer Networking Ltd.) Disabled
AS: AVG Anti-Spyware v7, 5, 1, 43 (GRISOFT s.r.o.) Disabled Outdated
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"="C:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe:*:Enabled:eDSfsu"
"C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"="C:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe:*:Enabled:encryption"
"C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"="C:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe:*:Enabled:decryption"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Dragon\AppData\Roaming
CLASSPATH=.;.;C:\PROGRA~1\JMF21~1.1E\lib\sound.jar;C:\PROGRA~1\JMF21~1.1E\lib\jmf.jar;C:\PROGRA~1\JMF21~1.1E\lib;
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DLCLAPTOP
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Dragon
LOCALAPPDATA=C:\Users\Dragon\AppData\Local
LOGONSERVER=\\DLCLAPTOP
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Dragon\AppData\Local\Temp
TMP=C:\Users\Dragon\AppData\Local\Temp
tvdumpflags=8
USERDOMAIN=DLCLAPTOP
USERNAME=Dragon
USERPROFILE=C:\Users\Dragon
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Shevonte.Shevonte-PC
Dragon


-- Add/Remove Programs ---------------------------------------------------------

7-Zip 3.13 --> rundll32 advpack.dll,LaunchINFSection C:\Windows\INF\7-zip.inf,SevenZip.Uninstall
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
AC-3 ACM Codec --> C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultUninstall 132 C:\Windows\INF\AC3ACM.inf
AC3 Decoder --> C:\Program Files\Mediatwins software\AC3 Decoder\uninstall.exe
AC3File (remove only) --> C:\Program Files\AC3File\uninstall.exe
AC3Filter (remove only) --> C:\Program Files\AC3Filter\uninstall.exe
Acer Registration --> C:\Program Files\Acer Registration\uninstall.exe
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 ActiveX --> C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player Plugin --> C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Agere Systems HDA Modem --> agrsmdel
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BitTorrent 6.0 --> C:\Program Files\BitTorrent\uninst.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Cakewalk Audio Finder Tool --> C:\Windows\uninst.exe -f"C:\Program Files\Cakewalk\CWAF\DeIsL2.isu"
Cakewalk Plasma 2003 --> C:\PROGRA~1\Cakewalk\Cakewalk Plasma 1\UNWISE.EXE C:\PROGRA~1\Cakewalk\Cakewalk Plasma 1\INSTALL.LOG
Cakewalk Pyro 1.5 --> C:\PROGRA~1\Cakewalk\Cakewalk Pyro 1.5\UNWISE.EXE C:\PROGRA~1\Cakewalk\Cakewalk Pyro 1.5\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDex extraction audio --> "C:\Program Files\CDex_150\uninstall.exe"
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
DHTML Editing Component --> MsiExec.exe /I{2EA870FA-585F-4187-903D-CB9FFD21E2E0}
DNA --> "C:\Users\Dragon\Program Files\DNA\btdna.exe" /UNINSTALL
DreamStation DXi2 --> C:\WINDOWS\DSDXIRMV.EXE C:\PROGRAM FILES\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI2
GIMP 2.4.2 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
GTK+ Runtime 2.4.10 rev b (remove only) --> C:\Program Files\Common Files\GTK\2.0\uninst.exe
Intel® Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
ISO Recorder --> MsiExec.exe /I{39600969-41C3-4658-876E-16F108FC5C92}
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java Media Framework 2.1.1e --> C:\Windows\IsUninst.exe -f"C:\Program Files\JMF2.1.1e\Uninst.isu"
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\Windows\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lexmark 1200 Series --> C:\Program Files\Lexmark 1200 Series\Install\x86\Uninst.exe
Lexmark Fax Solutions --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
Liquid Story Binder XE 2.31 --> "C:\Program Files\Black Obelisk Software\Liquid Story Binder XE\unins000.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (1.0) --> C:\Windows\UninstallThunderbird.exe /ua "1.0 (en)"
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
NetTime 2.0 --> "C:\Program Files\NetTime\unins000.exe"
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A}
PDFCreator 0.8.0 --> C:\Program Files\PDFCreator\unins000.exe
Philips PC Camera --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F48C6EA5-3B43-11D6-86A6-0050BA0259A2}\driver.exe" -l0x9 -removeonly
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Sid Meier's Alpha Centauri --> C:\Windows\IsUninst.exe -f"C:\Program Files\Firaxis Games\Sid Meier's Alpha Centauri\Uninst.isu"
SLang 2 --> C:\Windows\uninst.exe -f"C:\Program Files\SLang 2\DeIsL1.isu" -c"C:\Program Files\SLang 2\_ISREG32.DLL"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}\setup.exe -runfromtemp -l0x0409
The Literary Machine 2000 v. 1.130B --> "C:\Program Files\Sommestad\The Literary Machine 2000\unins000.exe"
VideoLAN VLC media player 0.8.1 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Vista Codec Package --> MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Winamp Toolbar for Firefox --> "C:\Users\Dragon\AppData\Roaming\Mozilla\Firefox\Profiles\1evcz84x.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe"
Windows Live OneCare safety scanner --> MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Media Player Firefox Plugin --> MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\common\unyt.exe
yWriter2 --> "C:\Users\Dragon\Documents\yWriter2\unins000.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type21796 / Error
Event Submitted/Written: 04/16/2008 03:18:06 PM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {589ac768-4624-4df7-bf96-9a8bcc0aa551}

Event Record #/Type21789 / Success
Event Submitted/Written: 04/16/2008 01:45:09 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type21780 / Success
Event Submitted/Written: 04/16/2008 01:41:33 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type21779 / Success
Event Submitted/Written: 04/16/2008 01:41:19 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type21766 / Warning
Event Submitted/Written: 04/16/2008 01:21:36 AM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-1114731421-2921708331-2508938508-1000_Classes:
Process 856 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1114731421-2921708331-2508938508-1000_CLASSES



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type82709 / Warning
Event Submitted/Written: 04/16/2008 09:16:03 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DLCLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DLCLAPTOP27 can't undo changes that you allow.

For more information please see the following:
%DLCLAPTOP275

Scan ID: {81448085-97CC-4B77-83CE-FF0EAC5641A8}

User: DLCLAPTOP\Dragon

Name: %DLCLAPTOP271

ID: %DLCLAPTOP272

Severity ID: %DLCLAPTOP273

Category ID: %DLCLAPTOP274

Path Found: %DLCLAPTOP276

Alert Type: %DLCLAPTOP278

Detection Type: 1.1.1505.02

Event Record #/Type82708 / Warning
Event Submitted/Written: 04/16/2008 09:16:03 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DLCLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DLCLAPTOP27 can't undo changes that you allow.

For more information please see the following:
%DLCLAPTOP275

Scan ID: {7D277E1E-0607-4CA5-AC4E-8FB0A2717AD1}

User: DLCLAPTOP\Dragon

Name: %DLCLAPTOP271

ID: %DLCLAPTOP272

Severity ID: %DLCLAPTOP273

Category ID: %DLCLAPTOP274

Path Found: %DLCLAPTOP276

Alert Type: %DLCLAPTOP278

Detection Type: 1.1.1505.02

Event Record #/Type82707 / Warning
Event Submitted/Written: 04/16/2008 09:16:03 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DLCLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DLCLAPTOP27 can't undo changes that you allow.

For more information please see the following:
%DLCLAPTOP275

Scan ID: {08422ECD-E1C5-49CD-A863-580B66C3ABB2}

User: DLCLAPTOP\Dragon

Name: %DLCLAPTOP271

ID: %DLCLAPTOP272

Severity ID: %DLCLAPTOP273

Category ID: %DLCLAPTOP274

Path Found: %DLCLAPTOP276

Alert Type: %DLCLAPTOP278

Detection Type: 1.1.1505.02

Event Record #/Type82706 / Warning
Event Submitted/Written: 04/16/2008 09:16:00 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DLCLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DLCLAPTOP27 can't undo changes that you allow.

For more information please see the following:
%DLCLAPTOP275

Scan ID: {6AFBC47D-260B-4FA5-B84F-697E7C76D8B3}

User: DLCLAPTOP\Dragon

Name: %DLCLAPTOP271

ID: %DLCLAPTOP272

Severity ID: %DLCLAPTOP273

Category ID: %DLCLAPTOP274

Path Found: %DLCLAPTOP276

Alert Type: %DLCLAPTOP278

Detection Type: 1.1.1505.02

Event Record #/Type82705 / Warning
Event Submitted/Written: 04/16/2008 09:16:00 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%DLCLAPTOP27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %DLCLAPTOP27 can't undo changes that you allow.

For more information please see the following:
%DLCLAPTOP275

Scan ID: {EB970962-6B02-4976-9D89-20199869124C}

User: DLCLAPTOP\Dragon

Name: %DLCLAPTOP271

ID: %DLCLAPTOP272

Severity ID: %DLCLAPTOP273

Category ID: %DLCLAPTOP274

Path Found: %DLCLAPTOP276

Alert Type: %DLCLAPTOP278

Detection Type: 1.1.1505.02



-- End of Deckard's System Scanner: finished at 2008-04-16 21:22:39 ------------

-------------------------END EXTRA.TXT---------------------------------
--------------------------------END DSS SCAN LOG---------------------------------------
Patiently awaiting a response,
Damien

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:07 PM

Posted 17 April 2008 - 07:44 PM

Hi Dizzylizard! I can get you fixed up in no time. :thumbsup:

But before we proceed, be sure that these programs are not needed by you. They are not necessarily malicious, but can be used to remote control your computer. If you are not aware of these being installed, then you should remove them. Here is some more info.

vncviewer.exe is a process belonging to the TWD Industries remote administration tool. This process allows other users to control your PC via a local network or the Internet. If used maliciously this process can also permit users to access your PC, from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately




If you want to remove them, proceed with these next steps.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\TightVNC-unstable\VNCHooks.dll 
    C:\Program Files\TightVNC-unstable\vncviewer.exe 
    C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Dizzylizard

Dizzylizard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 19 April 2008 - 01:57 AM

But before we proceed, be sure that these programs are not needed by you. They are not necessarily malicious, but can be used to remote control your computer. If you are not aware of these being installed, then you should remove them. Here is some more info.

vncviewer.exe is a process belonging to the TWD Industries remote administration tool. This process allows other users to control your PC via a local network or the Internet. If used maliciously this process can also permit users to access your PC, from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately


I don't remember installing them, and I can't think of any reason I would need to allow someone to access my laptop remotely, so let's get rid of them...

Please download the OTMoveIt2 by OldTimer.

  • -----instructions followed and snipped-------
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


I followed your instructions, Sam, but nothing happened after the reboot...here's the logfile
---------------------------------------OTMoveIt2 Log File Follows--------------------------------
DllUnregisterServer procedure not found in C:\Program Files\TightVNC-unstable\VNCHooks.dll
C:\Program Files\TightVNC-unstable\VNCHooks.dll NOT unregistered.
File move failed. C:\Program Files\TightVNC-unstable\VNCHooks.dll scheduled to be moved on reboot.
File move failed. C:\Program Files\TightVNC-unstable\vncviewer.exe scheduled to be moved on reboot.
File move failed. C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe scheduled to be moved on reboot.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04192008_013114
------------------------------end log file-attached------------------------------------------

Like I said, I rebooted, but didn't get any confirmation they were moved...shouldn't the logfile have updated on the reboot? I also checked the file folder in \_OTMoveIT\moved filed, to which I assumed they would be moved, but the folder (and all subfolders) were empty...did it work?
Patiently awaiting the next step...
Damien

Attached Files


Edited by Dizzylizard, 19 April 2008 - 02:03 AM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:07 PM

Posted 19 April 2008 - 08:01 AM

Hmmm....yes they should have been moved on reboot.
We should be able to just delete them manually from safe mode.

Reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.

Once in safe mode you can locate these files and delete them manually.

C:\Program Files\TightVNC-unstable\VNCHooks.dll
C:\Program Files\TightVNC-unstable\vncviewer.exe
C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe



Let me know how it goes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Dizzylizard

Dizzylizard
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 19 April 2008 - 03:08 PM

Hmmm....yes they should have been moved on reboot.
We should be able to just delete them manually from safe mode.

Reboot your computer in SafeMode by doing the following:

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.
Once in safe mode you can locate these files and delete them manually.

C:\Program Files\TightVNC-unstable\VNCHooks.dll
C:\Program Files\TightVNC-unstable\vncviewer.exe
C:\Program Files\WinLibre\Install\Tightvnc_En_1.3dev6.exe



Let me know how it goes.

I deleted the files in safe mode, and they appear to be gone...quick sidebar: While I was deleting the files, I noticed a lot of folders in the Program files for programs that I've removed...is it safe to delete these folders? If so, can you recommend a program to get them all, or do I have to do it manually?
Also, do we need to do another Kaspersky/DSS scan to make sure it's clean?
Let me know what to do next,
Damien

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:07 PM

Posted 19 April 2008 - 03:54 PM

For the programs that you are certain that you removed, yes you can delete them.
It's not a bad idea to go ahead and run another Kaspersky scan just to be sure you come up clean.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:07 PM

Posted 13 May 2008 - 09:26 AM

Unfortunately there has been no response. :thumbsup:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users