Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help me with Vundo.Agent!M Trojan

Started by DJ_Inferno , Jul 12 2008 04:32 AM

  • This topic is locked This topic is locked

#1
DJ_Inferno
Posted 12 July 2008 - 04:32 AM

DJ_Inferno

    Member

  • Member
  • PipPipPip
  • 108 posts
here are the logs i have for my laptop.

ok here is the main text

Deckard's System Scanner v20071014.68
Run by Ben on 2008-07-12 19:16:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
9: 2008-07-12 09:06:42 UTC - RP77 - Windows Defender Checkpoint
8: 2008-07-12 08:59:36 UTC - RP75 - Windows Defender Checkpoint
7: 2008-07-12 08:35:56 UTC - RP73 - Windows Defender Checkpoint
6: 2008-07-12 07:52:12 UTC - RP71 - Installed Nero 8 Trial. Available with Windows Installer version 1.2 and later.
5: 2008-07-12 07:51:46 UTC - RP70 - Installed DirectX


-- First Restore Point --
1: 2008-07-12 05:20:02 UTC - RP64 - Windows Vista Service Pack 1


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ben.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:01 PM, on 12/07/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\LGDMEBTN.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Nero\Lib\NeroGadgetCMServer.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\Ben\Downloads\dss.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ben.exe
C:\Windows\System32\wsqmcons.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: sqvgnrpx - {D1FAB52D-CD54-47B0-9BD3-F325CF4C7BA8} - C:\Windows\sqvgnrpx.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ATSwpNav] "C:\Program Files\Fingerprint Sensor\ATSwpNav" -run
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LG Direct Media Button Service] LGDMEBTN.exe
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [BatteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
O4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Ben\AppData\Local\Temp\vtUnLcby.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: CCC.lnk = ?
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O21 - SSODL: fsrpknov - {1ADBC46B-793E-414F-BA6D-BD3B411BD301} - C:\Windows\fsrpknov.dll (file missing)
O21 - SSODL: fdxbameg - {5500F56C-B7A6-4922-A8D5-3E4D7ADC4084} - C:\Windows\fdxbameg.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\OmniServ.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

--
End of file - 7659 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 lgsnd_filter - c:\windows\system32\drivers\lgsnd_filter.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-06-12 and 2008-07-12 -----------------------------

2008-07-13 04:39:44 80 --a------ C:\Windows\winresetup.cmd
2008-07-13 04:36:59 0 d-------- C:\Windows\SoftwareDistribution
2008-07-13 04:36:28 12 --a------ C:\Windows\bthservsdp.dat
2008-07-13 04:34:52 0 d-------- C:\Windows\CSC
2008-07-13 04:32:12 0 d--hs---- C:\System Volume Information
2008-07-12 19:18:44 0 d-------- C:\Program Files\Trend Micro
2008-07-12 18:00:30 0 d-------- C:\Program Files\NeroInstall.bak
2008-07-12 17:54:15 0 d-------- C:\Program Files\Nero
2008-07-12 17:54:15 0 d-------- C:\Program Files\Common Files\Nero
2008-07-12 17:46:19 26112 --a------ C:\Windows\system32\iiFyyVmj.dll
2008-07-12 17:46:18 26112 --a------ C:\Windows\system32\xxywwtsT.dll
2008-07-12 17:36:10 109782 --a------ C:\Windows\Copernic2001UninstallPlus.exe
2008-07-12 17:36:10 0 d-------- C:\Program Files\Copernic 2001 Pro
2008-07-12 17:29:16 0 d-------- C:\Program Files\Siber Systems
2008-07-12 17:09:37 0 d-------- C:\Program Files\Winamp
2008-07-12 17:00:39 0 d-------- C:\Program Files\DVD Shrink
2008-07-12 15:57:15 0 d-------- C:\Program Files\Messenger Plus! Live
2008-07-12 15:55:34 0 d-------- C:\Windows\PCHEALTH
2008-07-12 15:53:02 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-12 15:52:54 0 d-------- C:\Program Files\Windows Live
2008-07-12 15:34:57 0 d-------- C:\PerfLogs
2008-07-12 14:30:56 192512 --a------ C:\Windows\sqvgnrpx.dll
2008-07-12 14:29:59 102400 --a------ C:\Windows\gpefaowr.exe
2008-07-12 14:29:59 163840 --a------ C:\Windows\eswa.exe
2008-07-12 14:09:07 0 d-------- C:\Windows\system32\appmgmt
2008-07-12 13:55:10 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-12 13:49:33 0 d-------- C:\Program Files\Alwil Software
2008-07-12 13:40:12 0 d-------- C:\Program Files\your.mi.angel
2008-07-12 13:38:28 0 d-------- C:\Windows\system32\Macromed
2008-07-12 13:36:05 0 d-------- C:\Program Files\uTorrent
2008-07-12 12:31:45 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-12 12:31:12 0 d-------- C:\Program Files\EzManual
2008-07-12 12:30:02 7552 --a------ C:\Windows\system32\drivers\lgsnd_filter.sys
2008-07-12 12:30:02 114688 --a------ C:\Windows\system32\bmpsap.dll <Not Verified; ; Psap module>
2008-07-12 12:30:02 0 d-------- C:\Program Files\LG Software
2008-07-12 12:29:17 126976 --a------ C:\Windows\system32\Imsmudlg.exe <Not Verified; Intel® Corporation; Uninstset Installation Utility>
2008-07-12 12:29:17 0 d-------- C:\Windows\system32\ENU
2008-07-12 12:27:15 0 d-------- C:\Program Files\Softex
2008-07-12 12:20:22 0 d-------- C:\Program Files\Synaptics
2008-07-12 12:19:26 0 d-------- C:\Program Files\IVT Corporation
2008-07-12 12:19:23 0 --a------ C:\Windows\system32\0
2008-07-12 12:19:23 32 --a------ C:\Windows\0
2008-07-12 12:16:22 0 d-------- C:\Program Files\ATI Technologies
2008-07-12 12:16:18 0 d-------- C:\Program Files\ATI
2008-07-12 12:12:26 0 d-------- C:\Windows\system32\RTCOM
2008-07-12 12:11:28 0 d-------- C:\Program Files\Realtek
2008-07-12 12:11:17 499712 -r------- C:\Windows\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-07-12 12:10:22 0 d-------- C:\Program Files\Fingerprint Sensor
2008-07-12 12:08:25 0 d-------- C:\Windows\tiinst
2008-07-12 12:08:09 0 d--hs---- C:\Windows\Installer
2008-07-12 12:07:42 50752 -----n--- C:\Windows\system32\agrsmdel.exe <Not Verified; Agere Systems; Agrsmdel>
2008-07-12 12:07:17 0 d-------- C:\Windows\Options
2008-07-12 12:03:01 0 d-------- C:\Program Files\Intel
2008-07-12 11:09:51 102912 --a------ C:\Windows\system32\Vb6stkit.dll <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-07-12 11:09:51 102160 --a------ C:\Windows\system32\VB6KO.DLL <Not Verified; Microsoft Corporation; Visual Basic Environment>
2008-07-12 11:09:51 9728 --a------ C:\Windows\system32\SYSINKO.DLL <Not Verified; Microsoft Corporation; SysInfo>
2008-07-12 11:09:51 30720 --a------ C:\Windows\system32\Rchtxko.dll <Not Verified; Microsoft Corporation; RichText>
2008-07-12 11:09:51 13824 --a------ C:\Windows\system32\INETKO.DLL <Not Verified; Microsoft Corporation; Microsoft Internet Transfer ???>
2008-07-12 11:09:51 83552 --a------ C:\Windows\system32\GAPI32.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows™ Operating System>
2008-07-12 11:09:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-12 10:54:27 0 d-------- C:\Program Files\lg_swupdate
2008-07-12 10:53:50 0 d-------- C:\Program Files\Common Files\InstallShield
2008-07-12 10:49:36 0 dr------- C:\Users\Ben\Searches
2008-07-12 10:49:25 0 dr------- C:\Users\Ben\Contacts
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\Templates <TEMPLA~1>
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\Start Menu <STARTM~1>
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\SendTo
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\Recent
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\PrintHood <PRINTH~1>
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\NetHood
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\My Documents <MYDOCU~1>
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\Local Settings <LOCALS~1>
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\Cookies
2008-07-12 10:49:17 0 d--hs---- C:\Users\Ben\Application Data <APPLIC~1>
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Videos
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Saved Games <SAVEDG~1>
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Pictures
2008-07-12 10:49:16 1048576 --ahs---- C:\Users\Ben\NTUSER.DAT
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Music
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Links
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Favorites <FAVORI~1>
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Downloads <DOWNLO~1>
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Documents <DOCUME~1>
2008-07-12 10:49:16 0 dr------- C:\Users\Ben\Desktop
2008-07-12 10:49:16 0 d--h----- C:\Users\Ben\AppData


-- Find3M Report ---------------------------------------------------------------

2008-07-12 17:57:27 0 d-------- C:\Users\Ben\AppData\Roaming\Nero
2008-07-12 17:54:15 0 d-------- C:\Program Files\Common Files
2008-07-12 17:45:34 0 d-------- C:\Users\Ben\AppData\Roaming\uTorrent
2008-07-12 17:15:10 0 d-------- C:\Users\Ben\AppData\Roaming\Winamp
2008-07-12 15:43:59 174 --ahs---- C:\Program Files\desktop.ini
2008-07-12 15:36:05 0 d-------- C:\Program Files\Windows Sidebar
2008-07-12 15:36:05 0 d-------- C:\Program Files\Windows Calendar
2008-07-12 15:36:05 0 d-------- C:\Program Files\Movie Maker
2008-07-12 15:36:04 0 d-------- C:\Program Files\Windows Photo Gallery
2008-07-12 15:36:04 0 d-------- C:\Program Files\Windows Mail
2008-07-12 15:36:04 0 d-------- C:\Program Files\Windows Journal
2008-07-12 15:36:04 0 d-------- C:\Program Files\Windows Collaboration
2008-07-12 15:36:00 0 d-------- C:\Program Files\Windows Defender
2008-07-12 13:48:13 0 d-------- C:\Users\Ben\AppData\Roaming\WinRAR
2008-07-12 13:42:33 0 d-------- C:\Users\Ben\AppData\Roaming\Macromedia
2008-07-12 13:42:33 0 d-------- C:\Users\Ben\AppData\Roaming\Adobe
2008-07-12 13:18:46 0 d-------- C:\Users\Ben\AppData\Roaming\ATI
2008-07-12 12:27:12 0 d-------- C:\Users\Ben\AppData\Roaming\InstallShield
2008-07-12 10:49:28 0 d-------- C:\Users\Ben\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [19/01/2008 05:38 PM]
"ATSwpNav"="C:\Program Files\Fingerprint Sensor\ATSwpNav -run" []
"RtHDVCpl"="RtHDVCpl.exe" [29/12/2006 12:11 PM C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [12/01/2007 01:36 PM]
"LG Direct Media Button Service"="LGDMEBTN.exe" [14/12/2006 07:50 PM C:\Windows\System32\LGDMEBTN.exe]
"OmniPass"="C:\Program Files\Softex\OmniPass\scureapp.exe" [22/12/2006 04:18 PM]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [29/09/2006 12:39 PM]
"BatteryMiser 5"="C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe" [04/02/2007 12:10 PM]
"KeybdUtility"="C:\Program Files\LG Software\On Screen Display\HotKey.exe" [02/02/2007 10:40 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16/05/2008 09:19 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [19/01/2008 05:33 PM]
"@"="" []
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 12:35 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [12/07/2008 04:44 PM]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [12/07/2008 05:29 PM]
"cmds"="C:\Users\Ben\AppData\Local\Temp\vtUnLcby.dll,c" []

C:\Users\Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CCC.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [29/09/2006 9:57:36 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{26F5978F-6493-4ee3-B114-C0C3ACCF9D4D}"= C:\Windows\system32\bmpsap.dll [11/12/2006 03:58 PM 114688]
"{03E3D45B-681C-481C-B6A3-0D08B12C4AB9}"= C:\Windows\system32\xxywwtsT.dll [12/07/2008 05:46 PM 26112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fsrpknov"= {1ADBC46B-793E-414F-BA6D-BD3B411BD301} - C:\Windows\fsrpknov.dll [ ]
"fdxbameg"= {5500F56C-B7A6-4922-A8D5-3E4D7ADC4084} - C:\Windows\fdxbameg.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\647691a9]
rundll32.exe "C:\Users\Ben\AppData\Local\Temp\qnbeeiwr.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Ben\AppData\Local\Temp\vtUnLcby.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LG Intelligent Update]
"C:\Program Files\lg_swupdate\giljabistart.exe" Gilautouc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Windows\system32\xxywwtsT.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sys Variable Enabler]
torrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc CscService TabletInputService UmRdpService wlansvc WPDBusEnum EMDMgmt
LocalServiceNoNetwork PLA DPS BFE mpssvc
LocalServiceNetworkRestricted DHCP eventlog AudioSrv LmHosts wscsvc p2pimsvc PNRPSvc p2psvc PnrpAutoReg
bthsvcs BthServ
GPSvcGroup GPSvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d45f5074-5040-11dd-9d8a-806e6f6e6963}]
AutoRun\command- D:\autoplay.exe lgcenter.ini


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {CD68B67C-0AAC-EB5B-285E-25DE12617939} /qb

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-12 19:21:26 ------------

here is extra

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Business (build 6001) SP 1.0
Architecture: X86; Language: English

CPU 0: Intel® Core™2 CPU T5500 @ 1.66GHz
Percentage of Memory in Use: 37%
Physical Memory (total/avail): 2045.75 MiB / 1273.45 MiB
Pagefile Memory (total/avail): 4324.79 MiB / 3274.41 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1908.73 MiB

C: is Fixed (NTFS) - 92.16 GiB total, 64.64 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHV2100BH - 93.16 GiB - 2 partitions
\PARTITION0 - Unknown - 1024 MiB
\PARTITION1 (bootable) - Installable File System - 92.16 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AV: avast! antivirus 4.8.1201 [VPS 080712-0] v4.8.1201 (ALWIL Software)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation)
AS: avast! antivirus 4.8.1201 [VPS 080712-0] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Ben\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=BEN-PC
ComSpec=C:\Windows\system32\cmd.exe
configsetroot=C:\Windows\ConfigSetRoot
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Ben
LOCALAPPDATA=C:\Users\Ben\AppData\Local
LOGONSERVER=\\BEN-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Softex\OmniPass
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f06
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Ben\AppData\Local\Temp
TMP=C:\Users\Ben\AppData\Local\Temp
USERDOMAIN=Ben-PC
USERNAME=Ben
USERPROFILE=C:\Users\Ben
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Ben


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Windows\UNNeroBackItUp.exe /UNINSTALL
--> C:\Windows\UNNeroMediaHome.exe /UNINSTALL
--> C:\Windows\UNNeroShowTime.exe /UNINSTALL
--> C:\Windows\UNNeroVision.exe /UNINSTALL
--> C:\Windows\UNRecode.exe /UNINSTALL
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
AI RoboForm (All Users) --> "C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
ATI Uninstaller --> C:\Program Files\ATI\CIM\Bin\Atisetup.exe -uninstall all
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
AuthenTec Fingerprint Sensor Minimum Install --> MsiExec.exe /I{161875E2-25A6-44C0-9292-C8C096F3E850}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
BatteryMiser 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E55C8F84-160B-41FA-9D41-6210801C0C24}\setup.exe"
BlueSoleil 3.0 Std Release --> MsiExec.exe /X{B174DCA1-D1AF-45B4-976D-87943E4C5957}
Copernic 2001 Pro --> "C:\Windows\Copernic2001UninstallPlus.exe" /ARGSFILE="C:\Program Files\Copernic 2001 Pro\unwise.dat"
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EzManual --> MsiExec.exe /I{6AC8EA9E-3044-46CB-AC0D-69C45D207178}
Inst5657 --> MsiExec.exe /I{FEDE400D-3381-4087-ACCB-689DD8A56123}
Inst565a --> MsiExec.exe /I{3B701A5D-1F4B-4178-8F86-6EB0D6BB3286}
Intel® Matrix Storage Manager --> C:\Windows\System32\Imsmudlg.exe
LG Direct Media Button Service --> MsiExec.exe /I{B47709FF-F32A-405A-BF0D-F59A98710D69}
LG Intelligent Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{81717D01-32F6-449C-85E1-41AFD678E545}\SETUP.EXE"
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Nero 8 --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OmniPass 5.00.13 --> C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\setup.exe -runfromtemp -l0x0009 -removeonly
On Screen Display --> MsiExec.exe /I{9A8907C0-0C87-4219-8520-ADBDA825C008}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Texas Instruments PCIxx21/x515/xx12 drivers. --> C:\Program Files\InstallShield Installation Information\{0409969E-BEFB-44D3-90B9-63BE50FBAE5E}\setup.exe -runfromtemp -l0x0409
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
WebVideo Support --> C:\Windows\gpefaowr.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.2 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1171 / Success
Event Submitted/Written: 07/12/2008 07:10:26 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type1167 / Success
Event Submitted/Written: 07/12/2008 07:09:26 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type1166 / Success
Event Submitted/Written: 07/12/2008 07:09:24 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type1163 / Success
Event Submitted/Written: 07/12/2008 07:08:37 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type1146 / Error
Event Submitted/Written: 07/12/2008 07:06:34 PM
Event ID/Source: 8194 / VSS
Event Description:
Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {5a6b48c8-57c2-4dff-8c3d-3f26d92f5923}



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17147 / Error
Event Submitted/Written: 07/12/2008 07:08:54 PM
Event ID/Source: 15016 / HTTP
Event Description:
\Device\Http\ReqQueueKerberos

Event Record #/Type17129 / Warning
Event Submitted/Written: 07/12/2008 07:07:13 PM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:


Event Record #/Type17125 / Error
Event Submitted/Written: 07/12/2008 07:07:04 PM
Event ID/Source: 10010 / DCOM
Event Description:
{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Event Record #/Type17124 / Warning
Event Submitted/Written: 07/12/2008 07:06:54 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ben-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ben-PC27 can't undo changes that you allow.

For more information please see the following:
%Ben-PC275

Scan ID: {93E7B179-31F5-42F7-9B8F-8BA4D2B4259D}

User: Ben-PC\Ben

Name: %Ben-PC271

ID: %Ben-PC272

Severity ID: %Ben-PC273

Category ID: %Ben-PC274

Path Found: %Ben-PC276

Alert Type: %Ben-PC278

Detection Type: 1.1.1600.02

Event Record #/Type17121 / Warning
Event Submitted/Written: 07/12/2008 07:06:48 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%Ben-PC27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %Ben-PC27 can't undo changes that you allow.

For more information please see the following:
%Ben-PC275

Scan ID: {11205772-B62A-4576-9C71-61E16333289A}

User: Ben-PC\Ben

Name: %Ben-PC271

ID: %Ben-PC272

Severity ID: %Ben-PC273

Category ID: %Ben-PC274

Path Found: %Ben-PC276

Alert Type: %Ben-PC278

Detection Type: 1.1.1600.02



-- End of Deckard's System Scanner: finished at 2008-07-12 19:21:26 ------------
  • 0

Advertisements

#2
Mike
Posted 12 July 2008 - 04:41 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Please continue in your old thread http://www.geekstogo...tM-t202609.html
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP