Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Zlob, Fake Antispyware Software - Bad Infection


  • This topic is locked This topic is locked
29 replies to this topic

#1 The Diver

The Diver

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 July 2008 - 03:11 AM

Greetings!

I'm a new member and found ya'll through a search on how to get rid of a fake spyware and anti-virus software removal program that hijacked my I.E. Browser by installing a fake tool bar and also hijacking my taskbar (lower right-hand corner with the clock and other programs running).

I did a search of the forum and found someone else that had almost the same issue I had and I followed the same instructions left by "Steamwiz". First off.... thank you, thank you, thank you.

It appears I got rid of it..or some of it...but not sure of all of it as my computer is just not running the same.

I'm going to quote from another member, "bauermw" since he seemed to have the same thing as I. His post was titled: "Infected With Virtumonde And Zlob.downloader, Do not know how to remove it."

I was browsing the internet last night, trying to watch a video, when I clicked on what I thought was a Codec update for a built in video player for a web site and ended up downloading an executable file. I immediately began getting pop-ups that I was infected with a malicious spyware and it recommended I proceed to scan and clean my computer. I knew immediately this was a fake program and had difficulty closing my I.E. browser windows.

I tried doing the ctrl-alt-delete ordeal to no avail. I finally unplugged the computer. After re-boot, I discovered many-a-thing:

1. When I opened up I.E. it tried to load the homepage, but was redirected to a page that said: Reported Insecure Browsing in the title

"Insecure internet activity. Threat of Virus Attack.

Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register KvmSecure.

We recommend you to protect your PC now and continue safe Internet browsing.

Insert link 1

Insert link 2"

As the page was loading, I noticed an I.P address where it was downloading from in the lower left-hand corner of I.E. (79.135.167.54) Istanbul, Turkey.

2. A new toolbar was installed on I.E. Browser at the top side of I.E. It contained 4 buttons that read, "Remove Popups, Scan Spyware, Security Test, Spam Protection."
I did click on each of the buttons to see where it would go in hopes of discovering which fake malware program I had. I was sent to different web sites advertising fake virus / and spyware scan. They were: AntiSpyware Master, PCPrivacy Cleaner, and Spyware Isolator.

I right clicked by I.E. toolbar and the name of this fake toolbar was, "nqgpedlr".

3. A fake balloon and red security symbol with the "X" appeared in the lower right-hand side of the task bar near the time (I forgot what this is called, "system tray"?) Hopefully you know what I mean. When I clicked that I ended up at a fake Windows Security Center.

4. I was unable to turn on automatic updates through Windows Security Center. This message appears when I try: "We're sorry. The security center could not change your automatic update settings. To try changing these settings yourself, go to system in control panel. On the automatic updates tab, select automatic (recommended) and press ok."

5. While browsing with I.E. about every other page would load with a yellow strip right below the menubar / toolbar stating my computer was at risk or what not and had a link to "click here" again to lead to more fake virus and spyware removal software.


Ok, so here's where I am at.....

I ran ComboFix and got to the point where it saved the log file. I have NOT done the "CFScript" portion of the fix.
ComboFix seemed to help the problem with the fake Windows Security Center, but not the I.E. browser problem.

I ran Malwarebytes Anti-Malware and that appears to have taken care of the browser problem.

So all looks good on the surface, but all does not seem well.

Any suggestions? I have the logs for ComboFix and Malwarebytes Anti-Malware. Someone want a looksie? How can I make sure this is gone?

Thank you in advance and I truly appreciate what you do here.

Amy

"The Diver"

BC AdBot (Login to Remove)

 


#2 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 July 2008 - 07:06 PM

As requested, here's the CombFix and Malwarebytes logs so it can be returned to the proper forum since I already know I DO have an infection.

Thanks!


ComboFix Log

ComboFix 08-07-03.1 - AMY 2008-07-03 21:03:05.1 - NTFSx86
Running from: C:\Documents and Settings\AMY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\AMY\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\GOXEOqru.ini
C:\WINDOWS\system32\GOXEOqru.ini2
C:\WINDOWS\system32\igfxhk.dll
C:\WINDOWS\system32\pwchyurv.dll
C:\WINDOWS\system32\urqOEXOG.dll
C:\WINDOWS\system32\vruyhcwp.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 19:02 . 2008-07-03 20:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-03 19:00 . 2008-07-03 19:00 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 19:00 . 2008-07-03 19:00 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-03 18:59 . 2008-07-03 19:01 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-03 18:59 . 2008-07-03 18:59 <DIR> d-------- C:\Program Files\AVG
2008-07-03 18:59 . 2008-07-03 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-03 17:42 . 2008-07-03 17:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-03 17:42 . 2008-07-03 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 17:41 . 2008-07-03 17:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-03 16:54 . 2008-07-03 10:45 303,104 --a------ C:\WINDOWS\kgqfweltgbn.dll
2008-07-03 16:54 . 2008-07-03 10:45 229,376 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-03 16:54 . 2008-07-03 10:45 200,704 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-03 16:54 . 2008-07-03 10:45 155,648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-02 21:08 . 2008-07-02 21:08 <DIR> d--hs---- C:\found.000
2008-06-30 17:01 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-06-30 17:01 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-06-30 17:01 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-06-30 17:01 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-06-18 08:58 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-06-10 19:34 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 19:34 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-11 08:00 --------- d-----w C:\Documents and Settings\AMY\Application Data\Roxio
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-15 02:54 --------- d-----w C:\Documents and Settings\AMY\Application Data\AdobeUM
2008-05-12 17:02 --------- d-----w C:\Program Files\mIRC
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2003-08-27 21:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC77EAFC-62D0-42B4-B2FB-64D6B18C5BDD}]
2008-07-03 10:45 303104 --a------ C:\WINDOWS\kgqfweltgbn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{DFD3C411-B6E4-49E6-A4D9-88F45FE2556D}"= "C:\WINDOWS\nqgpedlr.dll" [2008-07-03 10:45 155648]

[HKEY_CLASSES_ROOT\clsid\{dfd3c411-b6e4-49e6-a4d9-88f45fe2556d}]
[HKEY_CLASSES_ROOT\nqgpedlr.1]
[HKEY_CLASSES_ROOT\TypeLib\{28EAF37D-F93D-4D40-8F70-654CC2FCBA2E}]
[HKEY_CLASSES_ROOT\nqgpedlr]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2004-08-10 05:04 59392]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 14:43 151552]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 11:36 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 11:32 126976]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 21:05 339968]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 22:08 28672]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-27 00:43 56320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-04-13 15:36 1470464]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-28 09:22 185632]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"TM Control"="C:\WINDOWS\system32\TMController.exe" [2007-02-05 18:50 188492]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 18:59 1177368]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 18:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 15:53 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 15:00 2748928 C:\WINDOWS\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 10:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"DeltTray"="DeltTray.exe" [2004-08-27 00:43 56320 C:\WINDOWS\system32\DeltTray.exe]

C:\Documents and Settings\AMY\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
LivePerson Expert Messenger.lnk - C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe [2008-04-22 15:38:48 5160960]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2007-01-11 18:34:41 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 18:41:38 323646]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 19:11:12 28672]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe [2008-01-28 14:21:15 249856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"okmdepgb"= {9CED295A-667E-48D2-8736-A8AFC35F0188} - C:\WINDOWS\okmdepgb.dll [2008-07-03 10:45 229376]
"axrfgvek"= {957DD7B5-F807-44AF-AC52-BF230AD0214F} - C:\WINDOWS\axrfgvek.dll [2008-07-03 10:45 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 19:00]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 18:59]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 18:26]
R2 ZipMagic Task Manager;ZipMagic Task Manager;C:\PROGRA~1\Allume\ZipMagic\MXTask.exe [2005-05-09 14:27]
R3 AV88BASE;Cx2388x Base Driver;C:\WINDOWS\system32\drivers\av88base.sys [2006-12-07 01:35]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-02-14 22:30]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 18:23]
S3 USB28xxBGA;PCTV 330e/8x0e Device;C:\WINDOWS\system32\DRIVERS\emBDA.sys [2007-08-07 15:39]
S3 USB28xxOEM;USB 28xx OEM Filter;C:\WINDOWS\system32\DRIVERS\emOEM.sys [2007-08-07 15:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b6e931c-cdde-11dc-84c0-00132070eb86}]
\Shell\AutoRun\command - E:\TVCenterPro.exe -autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b6e931d-cdde-11dc-84c0-00132070eb86}]
\Shell\AutoRun\command - K:\TVCenterPro.exe -autorun
\Shell\Shell01\Command - K:\TVCenterPro.exe
\Shell\Shell02\Command - K:\TVCenterProSettings.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-28 22:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-04-16 18:31:59 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1168197975.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
.
- - - - ORPHANS REMOVED - - - -

BHO-{5D72C2A4-9AC6-4727-A705-CEA1F0220B78} - C:\WINDOWS\system32\yaywtRHB.dll
HKLM-Run-7c0014f3 - C:\WINDOWS\system32\pwchyurv.dll
ShellExecuteHooks-{5D72C2A4-9AC6-4727-A705-CEA1F0220B78} - C:\WINDOWS\system32\yaywtRHB.dll
Notify-yaywtRHB - yaywtRHB.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-03 21:10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Webshots\Webshots.scr
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-03 21:21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 04:20:57

Pre-Run: 224,471,568,384 bytes free
Post-Run: 225,102,295,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons




Malwarebytes Anti-Malware log

Malwarebytes' Anti-Malware 1.19
Database version: 920
Windows 5.1.2600 Service Pack 2

12:16:22 AM 7/4/2008
mbam-log-7-4-2008 (00-16-22).txt

Scan type: Quick Scan
Objects scanned: 42054
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 20
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\kgqfweltgbn.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\nqgpedlr.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\okmdepgb.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\axrfgvek.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{50365571-a7c7-47b3-854d-f45fdfc6687e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aaaac6f5-a653-4b2a-9c02-8ebd19366183} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{da6ebdce-4207-455c-b9db-c3fa5e440c20} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec77eafc-62d0-42b4-b2fb-64d6b18c5bdd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec77eafc-62d0-42b4-b2fb-64d6b18c5bdd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{830af45a-70fe-4f42-820c-478e6f07bd92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{28eaf37d-f93d-4d40-8f70-654cc2fcba2e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dfd3c411-b6e4-49e6-a4d9-88f45fe2556d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ced295a-667e-48d2-8736-a8afc35f0188} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{957dd7b5-f807-44af-ac52-bf230ad0214f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.bmfr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{dfd3c411-b6e4-49e6-a4d9-88f45fe2556d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\okmdepgb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\axrfgvek (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\kgqfweltgbn.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\nqgpedlr.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\okmdepgb.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\axrfgvek.dll (Trojan.FakeAlert) -> Delete on reboot.




After mt first post and running ComboFix and Malwarebytes, I downloaded Spybot Search and Destroy. It found a few other things along with Zlob which I removed.

Still have a slow 'puter, slow web browser loading, and slow programs opening up, Microsoft Outlook slow and crashing.

Happy 4th of July!

-Amy

#3 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:04 AM

Posted 04 July 2008 - 08:23 PM

Hello The Diver,

It is never a good idea to follow instructions given to another member in the Hijack and Malware Removal forum.
Even if your problem is similar to the original poster's problem, the solution could be totally different due to different hardware, software, system requirements, etc....

Also, Combofix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:04 AM

Posted 04 July 2008 - 09:34 PM

Assistant was HJT Team Member Steamwiz. Topic moved to HJT forum at his request. :)

Back to you Steamwiz.

Orange Blossom :thumbsup:

Edited by steamwiz, 05 July 2008 - 03:28 PM.
changed his/her request. to "his request."

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 05 July 2008 - 03:53 PM

Hi

Thank You TMacK & Orange Blossom :thumbsup:

The Diver ... Combofix & Malwarebytes appear to have removed all the malware they found ...


Please now post a DSS log for me ... & a Kaspersky Online Scan report ...

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Then do the same with extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post both txt files ...


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

THEN ..

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 06 July 2008 - 03:00 AM

Hi Steam -

I have the following .txt logs from the DSS and Kaspersky. I see Kaspersky caught something else. Just another thing that my computer started doing is beeping from the CPU about every 10 seconds. It's the beep you hear when the computer restarts or begins booting when you first turn it on.

Here ya go......



Deckard's System Scanner v20071014.68
Run by AMY on 2008-07-05 18:09:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-07-06 01:09:38 UTC - RP468 - Deckard's System Scanner Restore Point
76: 2008-07-05 17:40:33 UTC - RP467 - Avg8 Update
75: 2008-07-04 04:01:28 UTC - RP466 - ComboFix created restore point
74: 2008-07-04 01:59:32 UTC - RP465 - Installed AVG Free 8.0
73: 2008-07-04 00:41:52 UTC - RP464 - Installed Ad-Aware


-- First Restore Point --
1: 2008-07-04 00:00:15 UTC - RP392 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 18:11:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\ehome\ehRecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Allume\ZipMagic\MXTask.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Allume\ZipMagic\MXTask.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\DeltTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1bg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\TMController.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Webshots\Webshots.scr
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\AMY\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [TM Control] C:\WINDOWS\system32\TMController.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LivePerson Expert Messenger.lnk = ?
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: TMMonitor.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html (file missing)
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html (file missing)
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} () - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/active...oad/XUpload.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: ZipMagic Task Manager - Allume Systems, Inc. - C:\Program Files\Allume\ZipMagic\MXTask.exe


--
End of file - 14278 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2
.js - JSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*
.vbs - VBSFile - shell\open\command - %SystemRoot%\System32\CScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 zmxpzip - c:\windows\system32\drivers\zmxpzip.sys <Not Verified; Allume Systems; StuffIt® ZipFolders®>
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R3 Afc (PPdus ASPI Shell) - c:\windows\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 AV88BASE (Cx2388x Base Driver) - c:\windows\system32\drivers\av88base.sys <Not Verified; Conexant, Inc.; av88base.sys>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 ZipMagic Task Manager - c:\progra~1\allume\zipmagic\mxtask.exe -service <Not Verified; Allume Systems, Inc.; ZipMagic>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_14F1&DEV_8801&SUBSYS_08C117DE&REV_05\4&23C0B1C&0&09F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_14F1&DEV_8801&SUBSYS_08C117DE&REV_05\4&23C0B1C&0&09F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-28 15:38:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-04-16 11:31:59 338 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1168197975.job


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-04 01:28:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-04 00:07:18 0 d-------- C:\Documents and Settings\AMY\Application Data\Malwarebytes
2008-07-04 00:07:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-04 00:07:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-03 21:02:27 0 d-------- C:\cmdcons
2008-07-03 21:00:50 68096 --a------ C:\WINDOWS\zip.exe
2008-07-03 21:00:50 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-03 21:00:50 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-03 21:00:50 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-03 21:00:50 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-03 21:00:50 98816 --a------ C:\WINDOWS\sed.exe
2008-07-03 21:00:50 80412 --a------ C:\WINDOWS\grep.exe
2008-07-03 21:00:50 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-03 19:02:33 0 d--h----- C:\$AVG8.VAULT$
2008-07-03 18:59:54 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-03 18:59:35 0 d-------- C:\Program Files\AVG
2008-07-03 18:59:34 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-03 17:42:01 0 d-------- C:\Program Files\Lavasoft
2008-07-03 17:42:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-03 17:41:08 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-02 21:08:56 0 d--hs---- C:\found.000
2008-06-18 08:58:04 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>


-- Find3M Report ---------------------------------------------------------------

2008-07-04 13:23:29 0 d-------- C:\Program Files\Coupons
2008-07-03 17:41:08 0 d-------- C:\Program Files\Common Files
2008-06-11 01:00:11 0 d-------- C:\Documents and Settings\AMY\Application Data\Roxio
2008-05-14 19:54:56 0 d-------- C:\Documents and Settings\AMY\Application Data\AdobeUM
2008-05-12 10:02:01 0 d-------- C:\Program Files\mIRC


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [08/10/2004 05:04 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [08/12/2004 06:45 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [01/14/2005 02:43 PM]
"SoundMan"="SOUNDMAN.EXE" [11/02/2004 03:53 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [11/29/2004 03:00 PM C:\WINDOWS\ALCWZRD.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/08/2005 11:36 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/08/2005 11:32 AM]
"AGRSMMSG"="AGRSMMSG.exe" [10/08/2004 10:50 AM C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/22/2005 09:05 PM]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [04/19/2003 10:08 PM]
"M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [08/27/2004 12:43 AM]
"DeltTray"="DeltTray.exe" [08/27/2004 12:43 AM C:\WINDOWS\system32\DeltTray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [04/13/2004 03:36 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/28/2007 09:22 AM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [07/25/2007 04:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [07/25/2007 04:06 PM]
"TM Control"="C:\WINDOWS\system32\TMController.exe" [02/05/2007 06:50 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/05/2008 10:40 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 05:45 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\AMY\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
LivePerson Expert Messenger.lnk - C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe [4/22/2008 3:38:48 PM]
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [1/11/2007 6:34:41 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/9/2003 6:41:38 PM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 7:11:12 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 9:05:56 PM]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [12/17/2002 6:23:32 PM]
TMMonitor.lnk - C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe [1/28/2008 2:21:15 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b6e931c-cdde-11dc-84c0-00132070eb86}]
AutoRun\command- E:\TVCenterPro.exe -autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1b6e931d-cdde-11dc-84c0-00132070eb86}]
AutoRun\command- K:\TVCenterPro.exe -autorun
Shell01\Command- K:\TVCenterPro.exe
Shell02\Command- K:\TVCenterProSettings.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8772 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-05 18:12:55 ------------





Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.20GHz
CPU 1: Intel® Pentium® 4 CPU 3.20GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 502.73 MiB / 148.47 MiB
Pagefile Memory (total/avail): 1227.48 MiB / 770.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928.12 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 209.36 GiB free.
D: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-98NCB1 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:

\\.\PHYSICALDRIVE2 - Sony USB HS-CF USB Device

\\.\PHYSICALDRIVE1 - Sony USB HS-MS USB Device

\\.\PHYSICALDRIVE4 - Sony USB HS-SD MMC USB Device

\\.\PHYSICALDRIVE3 - Sony USB HS-SM/xD USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.

AV: AVG Anti-Virus Free v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\ArcSoft\\TotalMedia 3\\TotalMedia.exe"="C:\\Program Files\\ArcSoft\\TotalMedia 3\\TotalMedia.exe:LocalSubNet:Enabled:ArcSoft TotalMedia 3"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\AMY\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-47375C5FC1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\AMY
LOGONSERVER=\\YOUR-47375C5FC1
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Allume\ZipMagic;C:\Program Files\Allume\ZipMagic\OfficeReady StuffIt;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AMY\LOCALS~1\Temp
TMP=C:\DOCUME~1\AMY\LOCALS~1\Temp
USERDOMAIN=YOUR-47375C5FC1
USERNAME=AMY
USERPROFILE=C:\Documents and Settings\AMY
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

AMY (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> Dummy
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Agere Systems PCI Soft Modem --> agrsmdel
AI RoboForm --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ArcSoft TotalMedia 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{268CF0B8-CA38-4E20-9E99-514A07F7C1F1}\Setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Click to DVD 2.0.03 Menu Data --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E407618-D9CD-4F39-9490-9ED45294073D}\setup.exe" -l0x9 -removeonly
Click to DVD 2.4.02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E809063C-51A3-4269-8984-D1EB742F2151}\setup.exe" -l0x9 -removeonly
CONNECT --> "C:\Program Files\Sony\CONNECT\unwise.exe" /A "C:\Program Files\Sony\CONNECT\install.log" Uninstall CONNECT
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
CuteFTP 8 Professional --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9
Cypress USB Mass Storage Driver Installation --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
Delta --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A4810699-E859-43A6-8F40-1743873E72AB}\setup.exe" -l0x9 -removeonly
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVgate Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\Setup.exe" -l0x9
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HP Photo and Imaging 2.0 - All-in-One --> MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - All-in-One Drivers --> MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - hp psc 2200 series --> C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 2200 series --> MsiExec.exe /X{913DA816-E8E4-4467-8D22-E2DF5DBF04E4}
Image Converter 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9155A84B-A94B-496E-9661-9978EB0CBC7C}\Setup.exe" /UNINSTALL
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\CDUninst.isu
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
InterVideo WinDVD for VAIO --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java™ SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LivePerson Expert Messenger --> C:\WINDOWS\unvise32.exe C:\Program Files\LivePerson\Expert\uninstal.log
Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech QuickCam --> MsiExec.exe /X{364EC092-93CF-4DDC-9D7A-7278452028E0}
Logitech Video Enumerator --> MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Logitech® Camera Driver --> "C:\Program Files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Macromedia Dreamweaver 8 --> MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{689404D2-1C94-44B3-9203-BEC5594FDA7A}
Microsoft SQL Server Desktop Engine (VAIO_VEDB) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
mIRC --> "C:\Program Files\mIRC\mirc.exe" -uninstall
MoodLogic --> C:\WINDOWS\ml-uninstall-v10.exe
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\AMY\Application Data\Move Networks\ie_bin\Uninst.exe
Movielink eHome version 1.1 --> "C:\Program Files\Movielink\eHome\unins000.exe"
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Setup.exe" -l0x9 AddRemoveCPRun
Netscape Internet Service Setup --> "C:\Program Files\Online Services\Netscape Online Setup\unwise.exe" /A "C:\Program Files\Online Services\Netscape Online Setup\install.log" Uninstall Netscape Internet Service Setup
OpenMG Limited Patch 4.1-05-13-31-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-13-31-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
PassAlong Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC4732F4-665D-4E6B-8E50-74D6B6FBE5A9}\setup.exe" -l0x9
PictureGear Studio 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88DA0A52-3372-4803-971A-ADFB961707E8}\Setup.exe"
Quicken 2005 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio Burn Engine --> MsiExec.exe /X{9860A9CF-7E71-43AC-888F-0B4D3EA212D1}
Roxio Easy Media Creator 7 --> MsiExec.exe /I{CB4544EA-C189-41FE-9E3A-76591DDB852B}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sonic Encoders --> MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic Foundry SIREN Jukebox 2.0 --> MsiExec.exe /I{4113F418-58A3-46A3-821C-50E934B45ED3}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SonicStage 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
SonicStage Mastering Studio Audio Filter Custom Preset --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}\setup.exe" -l0x9
Sony ACID Pro 6.0 --> MsiExec.exe /X{2956585F-DB2F-45C2-9363-F8CB0BB4F2A7}
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Media Manager 2.2 --> MsiExec.exe /X{2B5A75F0-FD85-4094-AB00-94902398D192}
Sony MP4 Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}\setup.exe" -l0x9 -removeonly
Sony TV Tuner Library 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40D1BC4F-56CB-458E-BE8C-35A025CC52FB}\Setup.exe" -l0x9 UNINSTALL
Sony Video Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}\setup.exe" -l0x9 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
TaxACT 2007 --> C:\PROGRA~1\2NDSTO~1\TAXACT~1\Unta07.exe C:\PROGRA~1\2NDSTO~1\TAXACT~1\Install.log
TaxACT California 2007 --> C:\PROGRA~1\2NDSTO~1\TAXACT~1\Unst07.exe C:\PROGRA~1\2NDSTO~1\TAXACT~1\CA.log
TM Control --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC2716A6-9985-43D2-AD36-DA6F1FF1F386}\Setup.exe" -l0x9 -removeonly
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369) --> C:\WINDOWS\$NtUninstallMC05Upd1$\spuninst\spuninst.exe
USB Storage Adapter FX (SM1) --> SM1UN.EXE SM1FX_AT
VAIO Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E993095-28F2-4060-9101-99C1FD1195C0}\Setup.exe" -l0x9
VAIO Entertainment Platform --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}\setup.exe" -l0x9
VAIO Media 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\Setup.exe" -l0x9 UNINSTALL
VAIO Media AC3 Decoder 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2063C2E8-3812-4BBD-9998-6610F80C1DD4}\Setup.exe" -l0x9 UNINSTALL
VAIO Media Integrated Server 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A79D11B-FD82-4A5E-834F-20173515DD14}\setup.exe" -l0x9 UNINSTALL -removeonly
VAIO Media Redistribution 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\Setup.exe" -l0x9 UNINSTALL
VAIO Media Registration Tool 4.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}\setup.exe" -l0x9 UNINSTALL
VAIO Original Screen Saver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1BEF9285-5530-426B-A5F1-5836B95C7EB1}\setup.exe" -l0x9
VAIO Original Screen Saver VAIO Motion SD Wide Contents --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51735133-A296-4EB0-BF16-AD93B55BD000}\setup.exe" -l0x9
VAIO Registration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Structure Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E715FA41-46EB-4D3F-B4D9-A45973E76026}\setup.exe" -l0x9
VAIO Survey Standalone --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO Update 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48820099-ED7D-424B-890C-9A82EF00656D}\setup.exe" -l0x9
Webshots Desktop --> "C:\Program Files\Webshots\unins000.exe"
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Encoder 9 Series --> msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9 Series --> MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows XP Media Center Edition 2005 KB890629 -->
Windows XP Media Center Edition 2005 KB895198 --> C:\WINDOWS\$NtUninstallKB895198$\spuninst\spuninst.exe
WordPerfect Office 12 --> MsiExec.exe /I{AF19F291-F22F-4798-9662-525305AE9E48}
Yahoo! Mail Quick Select Tool (PhotoMail) --> C:\PROGRA~1\Yahoo!\Common\unymb.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool --> C:\Program Files\Yahoo!\Common\ydropper_uninst.exe /ylog=C:\PROGRA~1\Yahoo!\Photos\Uploader\install.log
Yahoo! Photos Print-at-Home Tool --> C:\WINDOWS\unins000.exe
ZipMagic Deluxe --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{6BBE49F6-DE11-474A-9F78-E24BD42081A6}


-- Application Event Log -------------------------------------------------------

Event Record #/Type55507 / Warning
Event Submitted/Written: 07/05/2008 10:41:55 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\QuickCam10\DesktopShortcutKey' does not exist.

Event Record #/Type55506 / Warning
Event Submitted/Written: 07/05/2008 10:41:54 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam' failed during request for component '{C207503F-9631-4AF6-8CD2-D11260DBA3C5}'

Event Record #/Type55505 / Warning
Event Submitted/Written: 07/05/2008 10:41:54 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{364EC092-93CF-4DDC-9D7A-7278452028E0}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Logitech\QuickCam10\DesktopShortcutKey' does not exist.

Event Record #/Type55500 / Warning
Event Submitted/Written: 07/05/2008 10:37:46 AM
Event ID/Source: 19011 / MSSQL$VAIO_VEDB
Event Description:
(SpnRegister) : Error 1355

Event Record #/Type55498 / Error
Event Submitted/Written: 07/05/2008 10:37:43 AM
Event ID/Source: 4 / Media Center Receiver
Event Description:
TV tuner malfunction. (0x80040265) Conexant 2388x Tuner



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type71096 / Error
Event Submitted/Written: 07/05/2008 10:37:25 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.2 for the Network Card with network address 00132070EB86 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type71092 / Warning
Event Submitted/Written: 07/05/2008 00:26:36 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type70905 / Error
Event Submitted/Written: 07/04/2008 00:43:42 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.2 for the Network Card with network address 00132070EB86 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type70798 / Error
Event Submitted/Written: 07/03/2008 10:40:18 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.0.3 for the Network Card with network address 00132070EB86 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type70755 / Warning
Event Submitted/Written: 07/03/2008 08:54:28 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-05 18:12:55 ------------


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, July 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, July 05, 2008 19:24:44
Records in database: 916362
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 115564
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:07:18


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pwchyurv.dll.vir Infected: Trojan.Win32.Monder.alh 1

The selected area was scanned.








THANKS!

-Amy

#7 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 06 July 2008 - 01:30 PM

Disregard beeping from the CPU. No longer doing it. Don't know why.

'Puter still processing very slow. Loooong time for browser to load and programs to open up.

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 July 2008 - 03:29 PM

HI

Your java is only one update out-of-date, which would normally be OK ... but you have failed to remove earlier versions, by leaving these they can be exploited ...

Go to add/remove programs and uninstall any earlier versions ... in your case :-

uninstall them all

J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1

Then You can go here and install the latest version of Java.

http://java.sun.com/javase/downloads/index.jsp

Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 6' and press the 'Download' button.


Running an out-of-date version of java is an infection risk.

-
Did you install mIRC (Internet Relay Chat client for Windows) yourself ? or was it downloaded without your knowledge ?

The other item found by the KASPERSKY ONLINE SCAN is in Combofix quarantine, & it's safe there :thumbsup:

Your logs look pretty good :)

Please Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's
(leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's
(leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm

...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.


RE: Just another thing that my computer started doing is beeping from the CPU about every 10 seconds.

First thing that comes to mind ... is this a desktop or a laptop ? ... some laptops will do this if the ac power is disconnected, or if the battery starts getting low.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#9 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 07 July 2008 - 10:38 PM

Hi Steam -

I uninstalled all out of date versions of Java.

I did install mIRC, so that is okay.

A few things still going on..... when I boot up the computer it takes me to the black screen with white text and gives me the option to select booting up into Windows Recovery Console or Windows XP. It automatically defaults to Windows XP (which I want), but before running all the fixes, it didn't used to do that. Booting up take a lot longer than it used to.

Also when opening up the browser or MS Outlook, it takes forever. I also hear the hard drive constantly straining to work and process things. It used to be quite and only made noise when streaming video. It now seems to be grinding away quite often.

Since downloading ComboFix, Malwarebytes, Ad-Aware, Spybot, AVG Free, and DSS, make system tray on the task bar is full. Do you think this could be part of the problem with all those things running?

Since we have seemed to have gotten rid of the Zlob and other bad infections would it be wise to uninstall any of the above programs?

Thank you again for the help.

Any suggestions of what programs to use as protection against anti-virus, anti-spy, anti-malware, etc?

-Amy

#10 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 08 July 2008 - 02:47 PM

Hi

The black screen you see before booting is a result of installing the recovery console with Combofix, it is only visible for 2 seconds, if you ever can't boot into windows then choosing the recovery console will most likely allow a helper to help you recover your windows installation without having to format & reinstall ... learn to blink at that point in startup & you wont even see it :thumbsup:

Booting up take a lot longer than it used to.

Also when opening up the browser or MS Outlook, it takes forever. I also hear the hard drive constantly straining to work and process things. It used to be quite and only made noise when streaming video. It now seems to be grinding away quite often


how much is a lot longer ?

It also sounds like you are trying to open your browser or MS Outlook whilst something is checking for & downloading updates... there are not enough resources available to do everything you are trying to do ...

Next time you boot & try to open up your browser or Outlook ... Ctrl-Alt-Del and tell me which process is using all the CPU ... at the bottom it will say CPU usage (probably 100%) look at the columns, one will be headed CPU ... most will say 00 ... which program has the highest figure ?

Since downloading ComboFix, Malwarebytes, Ad-Aware, Spybot, AVG Free, and DSS, make system tray on the task bar is full. Do you think this could be part of the problem with all those things running?

Since we have seemed to have gotten rid of the Zlob and other bad infections would it be wise to uninstall any of the above programs?


ComboFix, Malwarebytes, Ad-Aware, and DSS are all using NO resources, except when you are running a scan with them...

Spybot & AVG Free are both monitoring your system for the intrusion of malware ... AVG for virus & spybots teatimer for spyware/adware etc, so they are using some resources, though not enough to affect you opening other programs, unless AVG is in the process of downloading updates ...

When was the last time you did a defrag ? you probably have fragmented files all over your hard-drive & this will slow down you boot time ...

WE don't need Combofix anymore so ...

Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK

Posted Image

Did you run Ccleaner ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#11 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 09 July 2008 - 01:17 PM

Hi Steam -

Ok, I'll try to blink just at that moment (even though I know it's still there). :)


I did run cCleaner.

I did time how long it takes to open MS Outlook and from the time of clicking on the icon to the actual application opening up was 28 seconds. I.E. took 8 seconds. I've noticed this happens mostly when I open the application or program for the first time. If I close the application and decide to open it up later, it does not take nearly as long to load.

I made sure that the AVG was not in the middle of a scan, because I know that definitely makes my hard drive grind away with the noise. I checked to see what processes are using up the CPU and I was surprised to see the CPU said only approximately 30%. Here are the main culprits:

System Idle Process - 84
TMController.exe - 12
avgrsx.exe - 20 - 40
avgupd.exe
avgtray

Also, most of the time when the browser is open and I click on a link to a web page, the lower left-hand side of the browser window indicates, "Opening page [url="http://www.....""]http://www....."[/url] etc. The little green bars at the bottom of I.E. browser indicate how much loading of the page is left. Most of the time and on no particular web site, I.E. says it is still opening the page and the green bars are all lit up, but never go away as if the page is still loading. When I take the cursor to the upper right-hand corner of the browser near the "X", I see the little hour glass symbol along side the cursor. Any thoughts?

*Side Note* Oh, and the beeping every 10 seconds. I have no shame to admit it was something silly. There was a cordless phone sitting on the floor whose battery was dying and the beeping was coming from the dead battery w/o the phone being charged on the base. I kept crawling under the 'puter desk and could SWEAR I heard it coming from the CPU. Don't you love those boneheads who post stuff like that and expect you to solve the problem. Heh!

Back to my infection..... Most things seem well except for the above and a lot of crap running in my system tray.

I'm still a little afraid to do online bill paying and shopping with my credit card. Do you think there is any need to worry at this point? Any way to be doubley sure aside from reformating and reinstalling the OS?

Thanks again for you time and help.
:thumbsup:
-Amy

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 09 July 2008 - 04:19 PM

Hi

The System Idle Process shows the amount of CPU NOT being used (unlike all the other processes which show the amount of CPU being used...

SO ... System Idle Process - 84 > means 84% free ... it would normally be in the 80's or 90's when you are not running scans.

Now ...

avgrsx.exe - 20 - 40
avgupd.exe
avgtray

these are AVG processes ...

RE: avgrsx.exe

This google search shows hits with observations from users saying such things as ...

1. I notice that avgrsx.exe uses excessive ups on startup in my Windows XP SP2 system.
2. At system startup the resident scanner process (avgrsx.exe) runs fluctuating at near to full CPU usage for almost three minu..
3. Resident Shield component ( avgrsx.exe ) uses up process time & slows everything down
4. I know it's caused by AVG 8, cause "avgrsx.exe" goes to 100% CPU usage while ... As soon as "avgrsx.exe" goes back to zero the menu opens. ...
5. Heaviest being avgrsx.exe which shows a memory usuage of 44000k. ...
6. It's bloated, Disabling the link scanner improves browsing performance, but it's made a powerful system more sluggish. avgrsx.exe is using between 16 and 48 megs at the moment in RAM according to Task Manager and it's just sitting there passive, not running a scan or updating.

As a long term AVG user I'm not impressed.

http://www.google.com/search?sourceid=navc...;q=avgrsx%2eexe

Another search for avg8 resources

http://www.google.com/search?sourceid=navc...=avg8+resources

shows lots of people complaining of the same problems as you ...

Check out some of them for yourself, then decide if you want to uninstall AVG & try another free anti-virus instead ...

You could try one of these free anti-virus :-

Avira Antivirus Classic (free):
http://www.free-av.com/

Here is an excellent Guide to its installation and use:-
http://www.techsupportforum.com/content/Se...rticles/64.html

AVAST!
http://www.avast.com/eng/avast_4_home.html

Only Install one & make sure you get the latest updates once installed...

-
TMController.exe - 12

This is your HDTV tuner card, must be running for the remote to work.

probably this one :- http://www.geniatech.com/pa/x8000a.htm

12% appears to be normal, even when not in use ...

-
With the way malware hides nowadays, no-one can ever guarantee that any computer is clean, unless it has just undergone a format & reinstall ... however I would be 99.9% sure yours is safe to use for anything you want... your logs never showed any evidence of a worm or backdoor Trojan which could have allowed a hacker access to your computer, in which case anything could have been done and hidden from you, the only safe thing to do in this case would have been to reformat ... BUT what you had were adware downloaders etc, the sort of things which cause browser redirects and adware pop-ups ...

As for the "a lot of crap running in my system tray"

Sounds like these are icons you don't use, in which case you can always hide inactive icons ...

Right click the START button > Properties > taskbar tab ...

At the very bottom under "notification area" make sure "hide inactive icons" is checked ...

You can also click the customise button to decide which icons you want to show and which you want to hide ...

remember to click apply when you are done.

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 14 July 2008 - 11:12 PM

Hi Steam,

Thank you for all your help. Can I send a small Paypal donation directly to your e-mail addy rather than through the link on your signature line? That way I can convert U.S. dollars to pounds.

Cheers!

Amy

#14 The Diver

The Diver
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 15 July 2008 - 02:41 PM

AVG Free just ran a scan and found some stuff. Do these seem questionable to you? Where the heck did they come from? They were listed under the "infections" tab.


multiple DivXInstaller.exe in temp folder

in \\WINDOWS\system32
enwa.exe
mrvtdpqe.exe
winlogon.exe (784)
yaywtRHB.dll


Any thoughts? I clicked "Remove all unhealed infections" but nothing happened or changed.

Edited by The Diver, 15 July 2008 - 02:41 PM.


#15 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 16 July 2008 - 03:45 PM

Hi

RE: "multiple DivXInstaller.exe in temp folder"

Where is the temp folder located ? have you downloaded a DivXInstaller.exe file using a p2p program ?

I would like you to post some more logs for me ...

The files you say AVG mentioned are most likely vundo related ...this one yaywtRHB.dll was no longer on your computer according to Combofix in post#2 ... the FIRST time you ran Combofix it removed orphan registry entries pointing to this file ...

- - - - ORPHANS REMOVED - - - -

BHO-{5D72C2A4-9AC6-4727-A705-CEA1F0220B78} - C:\WINDOWS\system32\yaywtRHB.dll
ShellExecuteHooks-{5D72C2A4-9AC6-4727-A705-CEA1F0220B78} - C:\WINDOWS\system32\yaywtRHB.dll
Notify-yaywtRHB - yaywtRHB.dll

The filename is randomly generated & could not have been regenerated with the same filename ...

I am wondering if these files are in a quarantine folder somewhere ...

If you still have Malwarebytes please update it and run a new scan with it & post the results ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users