Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with popup adware (and maybe other things)


  • This topic is locked This topic is locked
11 replies to this topic

#1 David Billo

David Billo

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 21 December 2008 - 02:15 PM

I acquired some trojan yesterday, and thought that Trend Micro had quarantined it. I checked the Windows folder and system32 subfolder for the most recent additions and changes. There is a Tasks folder there with a new scheduled task, which I deleted. (sorry didn't make a note of what it did) There was also a DCEBoot application, which I deleted, and in system32 there are a couple of .dlls which I can't delete:

ssqQgddA.dll
fvcnoo.dll

Afterward, I kept gettig IE hangs, and when rebooting, explorer would hang on shutdown. This morning, I'm getting pop up adware, and also attempts by AV2009 to trick me. I had that one a few weeks ago, and think I got rid of it, although I noticed a brastk entry in the registry startup list. That's where I'm at now.

Logfile of random's system information tool 1.05 (written by random/random)
Run by David Billo at 2008-12-21 14:00:11
Microsoft Windows XP Professional Service Pack 3
System drive F: has 89 GB (59%) free of 151 GB
Total RAM: 2046 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:27 PM, on 21/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\nvsvc32.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\David Billo\Desktop\RSIT.exe
F:\Program Files\trend micro\David Billo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: (no name) - {88ABF02D-C5AF-4E99-AA9D-8FC045BA354D} - F:\WINDOWS\system32\ssqQgddA.dll
O2 - BHO: {63826a8f-37b4-0668-95e4-88d415f2f59e} - {e95f2f51-4d88-4e59-8660-4b73f8a62836} - F:\WINDOWS\system32\fvcnoo.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [pccguide.exe] "F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [ProfilerU] F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218855998531
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O20 - AppInit_DLLs: fvcnoo.dll
O20 - Winlogon Notify: byXonlll - F:\WINDOWS\
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6037 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88ABF02D-C5AF-4E99-AA9D-8FC045BA354D}]
F:\WINDOWS\system32\ssqQgddA.dll [2008-12-20 302592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e95f2f51-4d88-4e59-8660-4b73f8a62836}]
F:\WINDOWS\system32\fvcnoo.dll [2008-12-21 129024]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=F:\WINDOWS\RTHDCPL.EXE [2007-10-24 16855552]
"Alcmtr"=F:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"pccguide.exe"=F:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe [2007-01-23 3429904]
"ProfilerU"=F:\Program Files\Saitek\SD6\Software\ProfilerU.exe [2007-10-02 233472]
"SaiMfd"=F:\Program Files\Saitek\SD6\Software\SaiMfd.exe [2007-10-02 131072]
"Logitech Utility"=F:\WINDOWS\Logi_MwX.Exe [2003-12-17 19968]
"NvCplDaemon"=F:\WINDOWS\system32\NvCpl.dll [2007-11-06 8523776]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=F:\WINDOWS\system32\NvMcTray.dll [2007-11-06 81920]
"NeroFilterCheck"=F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"MSConfig"=F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-14 169984]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=F:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=F:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"NVIDIA nTune"=F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe [2007-09-04 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
[]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="fvcnoo.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byXonlll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
F:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
F:\WINDOWS\system32\ssqQgddA

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="F:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-12-21 14:00:11 ----D---- F:\rsit
2008-12-21 12:34:08 ----A---- F:\WINDOWS\system32\fvcnoo.dll
2008-12-21 12:32:06 ----ASH---- F:\WINDOWS\system32\rmbmffnn.ini
2008-12-20 12:20:13 ----ASH---- F:\WINDOWS\system32\AddgQqss.ini2
2008-12-20 12:20:13 ----ASH---- F:\WINDOWS\system32\AddgQqss.ini
2008-12-20 12:20:11 ----A---- F:\WINDOWS\system32\ssqQgddA.dll
2008-12-15 14:43:24 ----A---- F:\Documents and Settings\David Billo\Application Data\hsbo.dll
2008-12-15 14:24:21 ----A---- F:\WINDOWS\system32\CAIlang.txt
2008-12-15 14:24:14 ----D---- F:\Program Files\Naviter
2008-12-12 20:03:55 ----HDC---- F:\WINDOWS\$NtUninstallKB955839$
2008-12-12 20:02:31 ----HDC---- F:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 20:02:28 ----HDC---- F:\WINDOWS\$NtUninstallKB954600$
2008-12-12 20:02:22 ----HDC---- F:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 1 months======

2008-12-21 14:00:27 ----D---- F:\Program Files\Trend Micro
2008-12-21 14:00:18 ----D---- F:\WINDOWS\Temp
2008-12-21 14:00:04 ----D---- F:\WINDOWS\Prefetch
2008-12-21 13:28:18 ----A---- F:\WINDOWS\win.ini
2008-12-21 13:28:18 ----A---- F:\WINDOWS\system.ini
2008-12-21 13:19:22 ----D---- F:\WINDOWS\system32
2008-12-21 13:16:51 ----D---- F:\WINDOWS
2008-12-21 13:12:41 ----A---- F:\WINDOWS\ModemLog_U.S. Robotics 56K Fax PCI.txt
2008-12-21 13:11:37 ----A---- F:\WINDOWS\SchedLgU.Txt
2008-12-20 16:02:52 ----D---- F:\WINDOWS\system32\CatRoot2
2008-12-20 12:36:12 ----SD---- F:\WINDOWS\Tasks
2008-12-18 20:03:10 ----D---- F:\Program Files\HyperLobbyPro3
2008-12-18 20:01:34 ----D---- F:\Documents and Settings\David Billo\Application Data\teamspeak2
2008-12-18 17:46:05 ----A---- F:\WINDOWS\DCADWin.Ini
2008-12-17 18:31:35 ----HD---- F:\WINDOWS\inf
2008-12-17 18:31:32 ----RSHDC---- F:\WINDOWS\system32\dllcache
2008-12-17 18:31:28 ----HD---- F:\WINDOWS\$hf_mig$
2008-12-15 14:24:14 ----RD---- F:\Program Files
2008-12-13 01:40:02 ----A---- F:\WINDOWS\system32\mshtml.dll
2008-12-12 20:04:17 ----SHD---- F:\WINDOWS\Installer
2008-12-12 20:04:15 ----D---- F:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-12 20:03:58 ----A---- F:\WINDOWS\imsins.BAK
2008-12-12 20:03:46 ----D---- F:\Program Files\Internet Explorer
2008-12-12 13:18:45 ----SHD---- F:\System Volume Information
2008-12-12 13:18:45 ----D---- F:\WINDOWS\system32\Restore
2008-12-11 13:46:22 ----D---- F:\WINDOWS\system32\FxsTmp
2008-12-09 18:24:37 ----A---- F:\WINDOWS\system32\MRT.exe
2008-12-09 15:35:48 ----D---- F:\Program Files\Condor
2008-12-08 22:26:35 ----A---- F:\WINDOWS\NeroDigital.ini
2008-12-01 11:31:58 ----D---- F:\WINDOWS\system32\drivers

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AsIO;AsIO; F:\WINDOWS\system32\drivers\AsIO.sys [2006-10-18 12664]
R1 intelppm;Intel Processor Driver; F:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; F:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 tmtdi;Trend Micro TDI Driver; F:\WINDOWS\system32\DRIVERS\tmtdi.sys [2006-12-29 75088]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; F:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
R2 Hardlock;Hardlock; \??\F:\WINDOWS\system32\drivers\hardlock.sys []
R2 tmcomm;tmcomm; \??\F:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmmbd;Trend Micro MBD Driver; F:\WINDOWS\system32\DRIVERS\tm_mbd_c.sys [2006-12-29 111888]
R2 tmpreflt;tmpreflt; F:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
R2 tmxpflt;tmxpflt; F:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-08-16 205328]
R2 vsapint;vsapint; F:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-08-16 1195448]
R3 Arp1394;1394 ARP Client Protocol; F:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; F:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; F:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); F:\WINDOWS\system32\drivers\RtkHDAud.sys [2007-11-01 4620288]
R3 L8042pr2;Logitech PS/2 Mouse Filter Driver; F:\WINDOWS\system32\DRIVERS\L8042pr2.Sys [2003-12-17 51729]
R3 LMouFlt2;Logitech Mouse Class Filter Driver; F:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys [2003-12-17 70801]
R3 mouhid;Mouse HID Driver; F:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; F:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; F:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 npusbio;npusbio; F:\WINDOWS\System32\Drivers\npusbio.sys [2008-01-11 36384]
R3 nv;nv; F:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-11-06 7429088]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; F:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2007-10-12 54144]
R3 nvnetbus;NVIDIA Network Bus Enumerator; F:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2007-10-12 22016]
R3 NVR0Dev;NVR0Dev; \??\F:\WINDOWS\nvoclock.sys []
R3 SaiH0255;SaiH0255; F:\WINDOWS\system32\DRIVERS\SaiH0255.sys [2007-05-01 132232]
R3 SaiH0464;SaiH0464; F:\WINDOWS\system32\DRIVERS\SaiH0464.sys [2007-05-01 132232]
R3 SaiMini;SaiMini; F:\WINDOWS\system32\DRIVERS\SaiMini.sys [2007-10-05 14080]
R3 SaiNtBus;SaiNtBus; F:\WINDOWS\system32\drivers\SaiBus.sys [2007-10-05 35200]
R3 tmcfw;Trend Micro Common Firewall Service; F:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2006-12-29 288848]
R3 usbccgp;Microsoft USB Generic Parent Driver; F:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; F:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
S3 NPUSB;NPUSB; F:\WINDOWS\system32\DRIVERS\npusb.sys [2007-03-23 22816]
S3 PciCon;PciCon; \??\E:\PciCon.sys []
S3 USBSTOR;USB Mass Storage Driver; F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; F:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; F:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; F:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Fax;Fax; F:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [2007-10-12 598016]
R2 nSvcIp;ForceWare IP service; F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [2007-10-12 151552]
R2 nTuneService;nTune Service; F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe [2007-09-04 131072]
R2 NVSvc;NVIDIA Display Driver Service; F:\WINDOWS\system32\nvsvc32.exe [2007-11-06 155716]
R2 PcCtlCom;Trend Micro Central Control Component; F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [2007-01-23 1922576]
R2 Tmntsrv;Trend Micro Real-time Service; F:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-12-29 480784]
R2 TmPfw;Trend Micro Personal Firewall; F:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-12-29 943696]
R2 tmproxy;Trend Micro Proxy Service; F:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-12-29 566872]
R3 PcScnSrv;Trend Micro Protection Against Spyware ; F:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe [2006-12-29 214544]
S3 aspnet_state;ASP.NET State Service; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 odserv;Microsoft Office Diagnostics Service; F:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; F:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; F:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2008-12-21 14:00:28

======Uninstall list======

-->F:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->F:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->F:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->F:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->F:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
5D PDF Creator-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{A2A227E0-8DEC-11D2-A564-B2890D000000}\setup.exe" -Uninstall
Adobe Flash Player ActiveX-->F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Advertisement Service-->F:\WINDOWS\system32\prunnet.exe Uninstall
Antarctica Scenery 01.04-->F:\Program Files\Condor\Landscapes\Antarctica\Uninstal_Antarctica0104.exe
Condor: The Competition Soaring Simulator 1.1.2-->F:\Program Files\Condor\uninst.exe
DataCAD® for Windows®-->F:\WINDOWS\IsUninst.exe -f"f:\program files\Datacad\Uninst.isu"
DH Driver Cleaner Professional Edition-->F:\Program Files\Driver Cleaner Pro\Uninstall.exe
DivX Codec-->F:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Converter-->F:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->F:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->F:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EasternAlps Scenery 2.0-->F:\Program Files\Condor\Landscapes\uninstall_EasternAlps2.0.exe
ffdshow [rev 2033] [2008-07-05]-->"F:\Program Files\ffdshow\unins000.exe"
FLV Player 1.3.3-->"F:\Program Files\FLVPlayer\uninstall.exe"
Fraps-->"F:\Program Files\Fraps\uninstall.exe"
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Hardlock Device Driver-->F:\WINDOWS\system32\UNWISE.EXE F:\WINDOWS\system32\HLDRV.LOG
HASP HL Device Driver-->F:\WINDOWS\system32\UNWISE.EXE F:\WINDOWS\system32\hdd32.log
High Definition Audio Driver Package - KB888111-->"F:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"F:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"F:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"F:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"F:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hyper Lobby Pro Client version 3.9.111-->"F:\WINDOWS\lsb_un20.exe" /C=UC /N=Hyper Lobby Pro Client version 3.9.111
IGC Flight Replay 0.6-->"C:\Programme\ywtw\unins000.exe"
IL-2 Sturmovik 1946-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{79438F1E-DEC3-443D-9DCD-FECE2D68C605} /l1033
LiveTracker-->MsiExec.exe /I{EEF4D3C9-5E8F-49BC-9836-B5E3993424CD}
Logitech MouseWare 9.79.1 -->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\Setup.exe" -l0x9 -l0009 UNINSTALL
Microsoft .NET Framework 2.0-->F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Compression Client Pack 1.0 for Windows XP-->"F:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"F:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"F:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 4.5-->F:\Program Files\MSWorks\Setup45\setup.exe
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 7 Essentials-->MsiExec.exe /I{FC18317E-BB91-4502-8909-E5AB70BC1033}
NGO NVIDIA Optimized Driver v1.16369-->F:\WINDOWS\unvise32.exe F:\Program Files\NGONVOD116369\uninstal.log
NVIDIA Drivers-->F:\WINDOWS\system32\nvudisp.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->"F:\Program Files\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly
NVIDIA ForceWare Network Access Manager-->MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}
NVIDIA nTune-->F:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF} /l1033
Paint Shop Pro 4.12-->F:\PROGRA~1\PAINTS~1\UNWISE.EXE F:\PROGRA~1\PAINTS~1\INSTALL.LOG
PC Probe II-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
Pdf995-->c:\pdf995\setup.exe uninstall
PdfEdit995-->c:\pdf995\res\utilities\thinsetup.exe - uninstall
Realtek High Definition Audio Driver-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x9 -removeonly
Saitek SD6 Programming Software 6.0.10.7-->MsiExec.exe /X{DC6CD4F8-6AF8-4B47-A25A-9D9560D3845E}
Scenery Hungary v1.0 for Condor Soaring Simulator-->F:\Program Files\Condor\Uninstal.exe
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft .NET Framework 2.0 (KB928365)-->F:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {8056AC9E-49C5-4375-9ADE-B2F862C9DF51} /package {7131646D-CD3C-40F4-97B9-CD9E4E6262EF}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Windows Internet Explorer 7 (KB938127)-->"F:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"F:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"F:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"F:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"F:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"F:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"F:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"F:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"F:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->F:\WINDOWS\system32\MacroMed\Flash\genuinst.exe F:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"F:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"F:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"F:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"F:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"F:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"F:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"F:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"F:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"F:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"F:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"F:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"F:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"F:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"F:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"F:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"F:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"F:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"F:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"F:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"F:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"F:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"F:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"F:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"F:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
SeeYou Version 3.9-->"F:\Program Files\Naviter\SeeYou\unins000.exe"
ShowCondorIGC-->"F:\Program Files\Condor\ShowCondorIGCuninstall.exe"
TeamSpeak 2 RC2-->"F:\Program Files\Teamspeak2_RC2\unins000.exe"
TrackIR4-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{BE6E6BF7-6A81-4EC2-AD29-4580025149F1}\setup.exe"
Trend Micro PC-cillin Internet Security 2007-->F:\PROGRA~1\TRENDM~1\INTERN~1\remove.exe
Trend Micro PC-cillin Internet Security 2007-->MsiExec.exe /X{BB4B6355-D38A-492C-873B-A1B2CF6C3832}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Windows XP (KB942763)-->"F:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"F:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"F:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"F:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Ventrilo-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VideoLAN VLC media player 0.8.6i-->F:\Program Files\VideoLAN\VLC\uninstall.exe
VNC Personal Edition P4.2.7-->"F:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Media Format 11 runtime-->"F:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"F:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"F:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"F:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"F:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->F:\Program Files\WinRAR\uninstall.exe

======Security center information======

AV: Trend Micro PC-cillin Internet Security 2007
FW: Trend Micro PC-cillin Internet Security (Firewall)

System event log

Computer Name: CHENMING
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Record Number: 33098
Source Name: DCOM
Time Written: 20081215155429.000000-300
Event Type: error
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: CHENMING
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Record Number: 33097
Source Name: DCOM
Time Written: 20081215155331.000000-300
Event Type: error
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: CHENMING
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Record Number: 33096
Source Name: DCOM
Time Written: 20081215155329.000000-300
Event Type: error
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: CHENMING
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Record Number: 33095
Source Name: DCOM
Time Written: 20081215155232.000000-300
Event Type: error
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: CHENMING
Event Code: 10016
Message: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BC866CF2-5486-41F7-B46B-9AA49CF3EBB1}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

Record Number: 33094
Source Name: DCOM
Time Written: 20081215155230.000000-300
Event Type: error
User: NT AUTHORITY\LOCAL SERVICE

Application event log

Computer Name: CHENMING
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 5
Source Name: SecurityCenter
Time Written: 20081011160852.000000-240
Event Type: information
User:

Computer Name: CHENMING
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 4
Source Name: SecurityCenter
Time Written: 20081011160708.000000-240
Event Type: information
User:

Computer Name: CHENMING
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 3
Source Name: SecurityCenter
Time Written: 20081011151135.000000-240
Event Type: information
User:

Computer Name: CHENMING
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 2
Source Name: SecurityCenter
Time Written: 20081011150352.000000-240
Event Type: information
User:

Computer Name: CHENMING
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 1
Source Name: SecurityCenter
Time Written: 20081011150159.000000-240
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:49 PM

Posted 28 December 2008 - 04:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 29 December 2008 - 11:44 AM

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Since posting, I was able to stop the popups, and corral or disable the original infection. I was able to delete the two offending .dll files mentioned by dragging them to desktop, renaming, and deleting after reboot.

I also ran a Trend Micro scan, which identified some registry entries, and was able to delete those. I then ran a Kaspersky Online Critical Area scan, which did not identify any infections, other than some items which were in Trend Micro Quarantine, and it also did not like my RealVNC remote admin software, and flagged it:

F:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\Program Files\Trend Micro\Internet Security 2007\Quarantine\3.tmp Infected: Trojan.Win32.Agent.arpl 1
F:\Program Files\Trend Micro\Internet Security 2007\Quarantine\40.tmp Infected: Trojan.Win32.Agent.arpl 1
F:\Program Files\Trend Micro\Internet Security 2007\Quarantine\54.tmp Infected: Trojan-Downloader.Win32.Small.acxh 1
F:\Program Files\Trend Micro\Internet Security 2007\Quarantine\55.tmp Infected: Trojan-Downloader.Win32.Agent.amoz 1


So at this point, the computer has been functioning normally for several days, however, I can see that there are still some registry entries left over from the infection, and I have not done anything about them. Would you still like me to d/l and run the above mentioned tool?

Oh, yeah, I also found that my Windows Automatic Update had been disabled, but I was able to get that fixed and enabled.

Edited by David Billo, 29 December 2008 - 12:38 PM.


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,009 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:49 PM

Posted 29 December 2008 - 02:26 PM

Yes, please run that scan as it will provide information necessary information, especially since you have made changes to the computer since your initial log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 29 December 2008 - 11:06 PM

DDS (Version 1.1.0) - NTFSx86
Run by David Billo at 22:39:21.45 on 29/12/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1524 [GMT -5:00]

AV: Trend Micro PC-cillin Internet Security 2007 *On-access scanning disabled* (Updated)
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled*

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\svchost.exe -k HTTPFilter
F:\Documents and Settings\David Billo\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre6\bin\ssv.dll
BHO: {88abf02d-c5af-4e99-aa9d-8fc045ba354d} - f:\windows\system32\ssqQgddA.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {63826a8f-37b4-0668-95e4-88d415f2f59e}: {e95f2f51-4d88-4e59-8660-4b73f8a62836} - f:\windows\system32\fvcnoo.dll
uRun: [CTFMON.EXE] f:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
uRun: [NVIDIA nTune] "f:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [pccguide.exe] "f:\program files\trend micro\internet security 2007\pccguide.exe"
mRun: [ProfilerU] f:\program files\saitek\sd6\software\ProfilerU.exe
mRun: [SaiMfd] f:\program files\saitek\sd6\software\SaiMfd.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] f:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
mRun: [NWEReboot]
dRun: [CTFMON.EXE] f:\windows\system32\CTFMON.EXE
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - f:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - f:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
Trusted Zone: microsoft.com\*.update
Trusted Zone: windowsupdate.com\download
Notify: byXonlll -
AppInit_DLLs: fvcnoo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 f:\windows\system32\ssqQgddA

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;f:\windows\system32\drivers\tmpreflt.sys [2008-7-22 36368]
R3 npusbio;npusbio;f:\windows\system32\drivers\npusbio.sys [2008-9-7 36384]
R3 SaiH0255;SaiH0255;f:\windows\system32\drivers\SaiH0255.sys [2007-5-1 132232]
R3 SaiH0464;SaiH0464;f:\windows\system32\drivers\SaiH0464.sys [2007-5-1 132232]
R3 tmcfw;Trend Micro Common Firewall Service;f:\windows\system32\drivers\TM_CFW.sys [2008-7-22 288848]
S2 Tmntsrv;Trend Micro Real-time Service;f:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-12-29 480784]
S2 TmPfw;Trend Micro Personal Firewall;f:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-12-29 943696]
S2 tmproxy;Trend Micro Proxy Service;f:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-12-29 566872]
S3 NPUSB;NPUSB;f:\windows\system32\drivers\npusb.sys [2008-7-22 22816]
S3 PciCon;PciCon;\??\E:\PciCon.sys []

=============== Created Last 30 ================

2008-12-23 18:00 <DIR> --d----- f:\windows\system32\NtmsData
2008-12-22 13:47 <DIR> --d----- f:\program files\Windows Live SkyDrive
2008-12-21 16:10 410,984 a------- f:\windows\system32\deploytk.dll
2008-12-21 16:10 73,728 a------- f:\windows\system32\javacpl.cpl
2008-12-21 12:32 1,668,120 a--sh--- f:\windows\system32\rmbmffnn.ini
2008-12-20 12:20 639,477 a--sh--- f:\windows\system32\AddgQqss.ini2
2008-12-20 12:20 639,477 a--sh--- f:\windows\system32\AddgQqss.ini
2008-12-15 14:43 128,064 a------- f:\docume~1\davidb~1\applic~1\hsbo.dll
2008-12-15 14:24 <DIR> --d----- f:\program files\Naviter

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- f:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- f:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- f:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- f:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- f:\windows\system32\strmdll.dll
2008-08-15 22:45 32,768 a--sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081520080816\index.dat

============= FINISH: 22:39:33.42 ===============

Attached Files



#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 31 December 2008 - 06:44 AM

Hi,

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

Click here to download HijackThis.
Save HJTInstall.exe to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis
After the final dialogue box it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post me it in your next reply.

In your next reply, please include:
-The log from Malwarebytes' Anti-Malware.
- A new HijackThis log
- How things are running
Posted Image
Proud member of ASAP since 2007

#7 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 31 December 2008 - 11:03 AM

Malwarebytes' Anti-Malware 1.31
Database version: 1582
Windows 5.1.2600 Service Pack 3

31/12/2008 10:47:19 AM
mbam-log-2008-12-31 (10-47-19).txt

Scan type: Full Scan (F:\|)
Objects scanned: 230534
Time elapsed: 1 hour(s), 24 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e95f2f51-4d88-4e59-8660-4b73f8a62836} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e95f2f51-4d88-4e59-8660-4b73f8a62836} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\system32\fvcnoo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
F:\Documents and Settings\David Billo\Local Settings\Temp\xpre.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Documents and Settings\David Billo\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
F:\Documents and Settings\David Billo\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:28 AM, on 31/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Trend Micro\BM\TMBMSRV.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
F:\Program Files\Trend Micro\Internet Security\TmProxy.exe
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Outlook Express\msimn.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {88ABF02D-C5AF-4E99-AA9D-8FC045BA354D} - F:\WINDOWS\system32\ssqQgddA.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ProfilerU] F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [OE] F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218855998531
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O20 - AppInit_DLLs: fvcnoo.dll
O20 - Winlogon Notify: byXonlll - F:\WINDOWS\
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - F:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - F:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6822 bytes

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 01 January 2009 - 03:09 AM

Hi,

open HijackThis, click do a scan only and place a check next to the following entries:

O2 - BHO: (no name) - {88ABF02D-C5AF-4E99-AA9D-8FC045BA354D} - F:\WINDOWS\system32\ssqQgddA.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O20 - AppInit_DLLs: fvcnoo.dll
O20 - Winlogon Notify: byXonlll - F:\WINDOWS\

Close all other windows and browsers, except HijackThis, and click Fix Checked. Close HijackThis.

Reboot and post a new Hijackthis log. Let me know how things are running.
Posted Image
Proud member of ASAP since 2007

#9 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 02 January 2009 - 02:33 PM

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


OK, I've done as instructed, log below. Just curious, though, why the above was included, since this file, ALCMTR.exe, is something to do with my RealTekHD sound system?

The computer has been running fine, without popups of any sort, since 21st December, when I deleted those .dll files and Trend Micro removed some registry entries.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:13 PM, on 02/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Trend Micro\BM\TMBMSRV.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
F:\Program Files\Trend Micro\Internet Security\TmProxy.exe
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
F:\WINDOWS\system32\wuauclt.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ProfilerU] F:\Program Files\Saitek\SD6\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] F:\Program Files\Saitek\SD6\Software\SaiMfd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "F:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIDIA nTune] "F:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [OE] F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] F:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...b?1218855998531
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - F:\Program Files\NVIDIA

Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - F:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - F:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - F:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - F:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - F:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - F:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 6438 bytes

#10 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 02 January 2009 - 05:46 PM

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


OK, I've done as instructed, log below. Just curious, though, why the above was included, since this file, ALCMTR.exe, is something to do with my RealTekHD sound system?


Yes thats true but take a look here: http://www.systemlookup.com/lists.php?list...arch=ALCMTR.EXE
  • Clean out Temporary Files etc.
    This program is for Vista, XP and Windows 2000 only
    Please download ATF Cleaner by Atribune.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All. Then remove the check mark for cookies
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    • Remove the check mark for Cookies
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt if asked .
    If you use Opera browser
    • Click Opera at the top and
    • choose: Select All.
    • Remove the check mark for Cookies
    • Click the Empty Selected button.
    It is a good idea to do this every few weeks as a lot of junk collects there over time.

  • Create a new, clean System Restore point which you can use in case of future system problems:
    Press Start->All Programs->Accessories->System Tools->System Restore
    Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

    Now remove old, infected System Restore points:
    Next click Start->Run and type cleanmgr in the box and press OK
    Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
    Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
    Press OK and Yes to confirm

  • Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • If you are using Internet Explorer v. 7 please read and follow the recommendations at this site. http://surfthenetsafely.com/ieseczone8.htm
  • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least a few times a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recommended.
    Be restrictive with granting access to the Internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.
  • Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.
  • Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • Read and follow the suggestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miekiem...prevention.html that will give you more information on some of the points above.

  • Please check out Tony Klein's article "How did I get infected in the first place?"
Follow this list and your potential for being infected again will reduce dramatically. (preventionspeech by Elrond)
Posted Image
Proud member of ASAP since 2007

#11 David Billo

David Billo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:01:49 PM

Posted 03 January 2009 - 08:43 AM

:thumbsup: Thanks Rosty, Orange Blossom, and all the Bleepingcomputer crew! :)

Please check out Tony Klein's article "How did I get infected in the first place?"


The above link is dead...it seems CastleCops is history as of 23rd December, 2008.
I found it here:

http://forums.spybot.info/showthread.php?t=279

Edited by David Billo, 03 January 2009 - 08:48 AM.


#12 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:49 PM

Posted 03 January 2009 - 09:18 AM

:thumbsup: Thanks Rosty, Orange Blossom, and all the Bleepingcomputer crew! :)

Please check out Tony Klein's article "How did I get infected in the first place?"


The above link is dead...it seems CastleCops is history as of 23rd December, 2008.
I found it here:

http://forums.spybot.info/showthread.php?t=279



Thanks for telling me about the link.

We're glad we could help you. :)
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users