Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xpc Infosystems / Ie 7


  • This topic is locked This topic is locked
2 replies to this topic

#1 Safe Internet

Safe Internet

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:48 AM

Posted 29 June 2008 - 01:52 PM

For a couple of months the IE has appeared with a name in the title bar saying "XPC Infosystems". It didn't bother me at first but then I was once trying to change my home page, resulting in failures because every time I changed it, it turned again to the same page hxxp://nvr.xpc.co.in/ I have clue about neither how to remove this virus, if it is indeed a virus, nor how dangeros it can be.

I must say I am not an expert in systems, softwares or IT. I'm just basic understanding of how this works so I' really appreaciate your inputs and suggestions.

I have already done the steps 1-7 from the Preparation Guide For Use Before Posting a Hijackthis Log.

Find below the log from DSS and attached the one from Kaperski Online Scanner.

Deckard's System Scanner v20071014.68
Run by vanetona on 2008-06-29 23:46:56
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
31: 2008-06-30 04:47:14 UTC - RP265 - Deckard's System Scanner Restore Point
30: 2008-06-29 11:23:15 UTC - RP264 - Installed Java™ 6 Update 6
29: 2008-06-29 11:22:01 UTC - RP263 - Quitado Java™ 6 Update 6
28: 2008-06-29 07:13:21 UTC - RP262 - Installed Java™ SE Development Kit 6 Update 6
27: 2008-06-29 06:34:35 UTC - RP261 - Removed J2SE Runtime Environment 5.0 Update 9


-- First Restore Point --
1: 2008-05-25 13:03:36 UTC - RP235 - Punto de control del sistema


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-29 23:54:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.13)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Archivos de programa\ltmoh\ltmoh.exe
C:\WINDOWS\agrsmmsg.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\Archivos de programa\TOSHIBA\TOSHIBA Applet\THotkey.exe
C:\Archivos de programa\TOSHIBA\Touch and Launch\PadExe.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\LClock\LClock.exe
C:\Archivos de programa\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Archivos de programa\Microsoft Encarta\Encarta 2007 Biblioteca Premium DVD\EDICT.EXE
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Archivos de programa\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Archivos de programa\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\Archivos de programa\Windows Live\Messenger\usnsvc.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Archivos de programa\DVD Region+CSS Free\DVDRegionFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\TOSHIBA\IVP\ISM\Ivpsvmgr.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vanessa Montoya\Escritorio\Utilidades\No Host Script\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.eltiempo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nvr.xpc.co.in/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = XPC Infosystems
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eltiempo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eltiempo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Archivos de programa\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Complemento del Asistente para Internet de Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Archivos de programa\Google\GoogleToolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Archivos de programa\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Asistente para Internet de Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Archivos de programa\MegauploadToolbar\megauploadtoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Archivos de programa\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LtMoh] C:\Archivos de programa\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THotkey] C:\Archivos de programa\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [PadTouch] C:\Archivos de programa\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Archivos de programa\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Archivos de programa\LClock\lclock.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Archivos de programa\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [E07EXLRD_557992] "C:\Archivos de programa\Microsoft Encarta\Encarta 2007 Biblioteca Premium DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\ARCHIV~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Archivos de programa\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: RAMASST.lnk = ?
O8 - Extra context menu item: Abrir en ventana &nueva - C:\Documents and Settings\Vanessa Montoya\Datos de programa\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Buscar con &Google - C:\Documents and Settings\Vanessa Montoya\Datos de programa\TuneUp Software\TuneUp Utilities\Web\gsearch.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Barra de búsqueda de Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://vatoya.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Archivos de programa\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Archivos de programa\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe


--
End of file - 13250 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value
.vbs - VBSFile - DefaultIcon - unable to read value
.vbs - VBSFile - shell\open\command - unable to read value
.vbs - VBSFile - shell\edit\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 meiudf - c:\windows\system32\drivers\meiudf.sys
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.10) - c:\windows\system32\drivers\mdc8021x.sys
R2 TBiosDrv - c:\windows\system32\drivers\tbiosdrv.sys
R3 TVALD (Toshiba Mobile PC Service) - c:\windows\system32\drivers\nbsmi.sys
R3 Tvs (Toshiba Virtual Sound with SRS technologies) - c:\windows\system32\drivers\tvs.sys

S3 P1060BLK (Creative PC-CAM 350 (Still Image)) - c:\windows\system32\drivers\p1060blk.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ACS (Atheros Configuration Service) - c:\windows\system32\acs.exe
R2 DVD-RAM_Service - c:\windows\system32\dvdramsv.exe
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\archivos de programa\cyberlink\shared files\richvideo.exe"
R2 Swupdtmr - c:\toshiba\ivp\swupdate\swupdtmr.exe
R2 TAPPSRV (TOSHIBA Application Service) - "c:\archivos de programa\toshiba\toshiba applet\tappsrv.exe"


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel® PRO/Wireless 2200BG Network Connection
Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27418086&REV_05\4&1D3F0FBB&0&20F0
Manufacturer: Intel® Corporation
Name: Intel® PRO/Wireless 2200BG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4220&SUBSYS_27418086&REV_05\4&1D3F0FBB&0&20F0
Service: w29n51

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Adaptador de red 1394
Device ID: V1394\NIC1394\D129CBA780DA0
Manufacturer: Microsoft
Name: Adaptador de red 1394
PNP Device ID: V1394\NIC1394\D129CBA780DA0
Service: NIC1394


-- Scheduled Tasks -------------------------------------------------------------

2008-06-23 07:54:05 298 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-06 17:14:59 454 --a------ C:\WINDOWS\Tasks\Mantenimiento con 1 clic.job


-- Files created between 2008-05-29 and 2008-06-29 -----------------------------

2008-06-29 06:24:35 0 d-------- C:\Archivos de programa\Sun
2008-06-28 22:22:37 0 drahs---- C:\autorun.inf
2008-06-27 19:13:53 0 d-------- C:\Archivos de programa\Archivos comunes\Skype
2008-06-22 07:57:07 0 d-------- C:\My Music
2008-06-22 07:02:30 0 d-------- C:\Archivos de programa\uTorrent


-- Find3M Report ---------------------------------------------------------------

2008-06-29 06:24:23 0 d-------- C:\Archivos de programa\Java
2008-06-28 21:08:11 0 d--h----- C:\Archivos de programa\InstallShield Installation Information
2008-06-28 21:07:26 0 dr-h----- C:\Documents and Settings\Vanessa Montoya\Datos de programa\yahoo!
2008-06-28 20:26:03 0 d-------- C:\Archivos de programa\TuneUp Utilities 2006
2008-06-27 19:13:58 0 d-------- C:\Archivos de programa\Skype
2008-06-27 19:13:53 0 d-------- C:\Archivos de programa\Archivos comunes
2008-06-27 19:12:46 0 d-------- C:\Documents and Settings\Vanessa Montoya\Datos de programa\Skype
2008-06-25 23:39:48 0 d-------- C:\Archivos de programa\NJStar Chinese WP
2008-06-22 09:20:24 0 d-------- C:\Documents and Settings\Vanessa Montoya\Datos de programa\uTorrent
2008-06-15 19:37:41 0 d-------- C:\Documents and Settings\Vanessa Montoya\Datos de programa\Adobe
2008-06-15 19:37:38 0 d-------- C:\Archivos de programa\Archivos comunes\Adobe
2008-05-26 08:59:43 11400 -rahs---- C:\WINDOWS\system32\NewVirusRemoval.vbs
2008-05-18 11:51:43 0 d-------- C:\Archivos de programa\Google
2008-05-12 12:36:56 0 d-------- C:\Documents and Settings\Vanessa Montoya\Datos de programa\AdobeUM
2008-05-05 11:32:58 424038 --a------ C:\WINDOWS\system32\perfh00A.dat
2008-05-05 11:32:58 60510 --a------ C:\WINDOWS\system32\perfc00A.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe" [14/10/2004 03:28 p.m.]
"SynTPEnh"="C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" [14/10/2004 03:26 p.m.]
"TPSMain"="TPSMain.exe" [31/05/2005 09:00 p.m. C:\WINDOWS\system32\TPSMain.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/06/2005 11:02 a.m.]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/06/2005 10:59 a.m.]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [08/06/2005 11:03 a.m.]
"LtMoh"="C:\Archivos de programa\ltmoh\Ltmoh.exe" [12/04/2005 04:18 p.m.]
"AGRSMMSG"="AGRSMMSG.exe" [12/04/2005 04:17 p.m. C:\WINDOWS\agrsmmsg.exe]
"avast!"="C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe" [15/05/2008 06:19 p.m.]
"THotkey"="C:\Archivos de programa\Toshiba\Toshiba Applet\thotkey.exe" [10/08/2005 11:23 a.m.]
"PadTouch"="C:\Archivos de programa\TOSHIBA\Touch and Launch\PadExe.exe" [07/09/2004 02:03 p.m.]
"QuickTime Task"="C:\Archivos de programa\QuickTime\QTTask.exe" [29/06/2007 06:24 a.m.]
"TkBellExe"="C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" [02/08/2007 08:45 p.m.]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" []
"Creative WebCam Tray"="C:\Archivos de programa\Creative\PC-CAM Center\CAMTRAY.EXE" []
"Pinger"="C:\TOSHIBA\IVP\ISM\pinger.exe" [17/03/2005 05:37 p.m.]
"SunJavaUpdateSched"="C:\Archivos de programa\Java\jre1.6.0_06\bin\jusched.exe" [25/03/2008 04:28 a.m.]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [20/08/2004 07:00 a.m.]
"LClock"="C:\Archivos de programa\LClock\lclock.exe" [19/09/2004 01:27 p.m.]
"TOSCDSPD"="C:\Archivos de programa\TOSHIBA\TOSCDSPD\toscdspd.exe" [30/12/2004 12:32 a.m.]
"E07EXLRD_557992"="C:\Archivos de programa\Microsoft Encarta\Encarta 2007 Biblioteca Premium DVD\EDICT.exe" [12/06/2006 09:01 p.m.]
"MSMSGS"="C:\Archivos de programa\Messenger\msmsgs.exe" [13/10/2004 11:24 a.m.]
"msnmsgr"="C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe" [18/10/2007 11:34 a.m.]
"Yahoo! Pager"="C:\ARCHIV~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [19/01/2007 12:49 p.m.]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\ARCHIV~1\DVDREG~1\DVDShell.dll [09/10/2004 03:18 p.m. 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\NewVirusRemoval.vbs"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Inicio rápido de Adobe Reader.lnk]
path=C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio\Inicio rápido de Adobe Reader.lnk
backup=C:\WINDOWS\pss\Inicio rápido de Adobe Reader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVD43]
"C:\Archivos de programa\DVD Region+CSS Free\DVDRegionFree.exe" /hidden

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Archivos de programa\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PINGER]
C:\TOSHIBA\IVP\ISM\pinger.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Archivos de programa\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d485e10-413d-11dd-a10d-00a0d129cba7}]
AutoRun\command- wscript.exe NewVirusRemoval.vbs
open\Command- wscript.exe NewVirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ee2a8b0-0a40-11dd-a0a4-0013ce9d0173}]
AutoRun\command- wscript.exe NewVirusRemoval.vbs
open\Command- wscript.exe NewVirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41104f70-b032-11dc-a040-00a0d129cba7}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59e29810-1374-11dc-9f54-00a0d129cba7}]
Auto\command- F:\bittorrent.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{998565cd-df5b-11db-9ed2-00a0d129cba7}]
Auto\command- bittorrent.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb2957ed-3119-11dd-a0dd-0013ce9d0173}]
Auto\command- F:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc35ed93-30c8-11dd-a0da-0013ce9d0173}]
AutoRun\command- wscript.exe NewVirusRemoval.vbs
open\Command- wscript.exe NewVirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0188c20-a98f-11dc-a038-00a0d129cba7}]
Open(&O)\command- RECYCLED\appmgmt.exe




-- End of Deckard's System Scanner: finished at 2008-06-29 23:56:00 ------------



mellow.gif

Deactivate link. ~ OB

Attached Files


Edited by Orange Blossom, 11 February 2013 - 03:25 AM.


BC AdBot (Login to Remove)

 


m

#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:48 AM

Posted 21 July 2008 - 10:20 AM

Hello, Safe Internet.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
In your next reply, please include the following:
  • DSS's Main.txt
  • DSS's Extra.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:09:48 AM

Posted 25 July 2008 - 09:41 AM

Hello, Safe Internet.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users