Avast WEBforum
Other => Viruses and worms => Topic started by: ahullsb on August 22, 2008, 03:06:38 AM
-
I have been cleaning advanced keylogging software off of my girlfriends computer, presumably installed by her ex boyfriend. From what I have gathered, it is a program called Key Trapper. My question is whether it is possible to prove whether this program was installed by someone who had DIRECT access to her computer, or whether it could be installed over the internet by anyone, even though we know who did it. Does anyone know the specifics of how this program works and must be installed? I cannot find details about it. When incidences such as these happen, can the court demand more information about it? I know nobody will know the intricacies of law, but I would imagine that when buying this software over the internet, you would probably be required to use a credit card which requires personal information, as well as a unique registration key? Something that might be able to be traced to him. Lastly, there is debate over whether to check the home computer first using high jack this log, etc. or whether to wipe the entire system and then freshly installing xp, without checking it for viruses, worms, etc first. Will either of these ways successfully remove things such as keylogging software? If the program is in fact on the computer, my understanding is that backing up, or transferring any of this data to another drive risks infecting any computer that it is transferred to, including the newly formatted home computer; correct? Here is the HJT log from the laptop where we found Key Trapper. Can anyone confirm that the program we believe we found was indeed on this computer? Thank you in advance to anyone who responds!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:19 AM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\WinAntiVirus Pro 2006\winav.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2006\wa6pcw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus Pro 2006\winpgi.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Program Files\WinAntiVirus Pro 2006\iefwbho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [vcx] c:\program files\pcp\vcx.exe
O4 - HKLM\..\Run: [sysxmem] c:\program files\pcp\sysxmem.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min
O4 - HKLM\..\Run: [WA6Pcw] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\wa6pcw.exe" -c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZZ
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178407826677
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0123559-20DA-46A0-A957-62F3EF10708A}: NameServer = 204.127.199.8,0.0.0.0
O21 - SSODL: Manamweb - {46EA5072-170B-4E33-BB7B-C04AFE5151B8} - C:\WINDOWS\system32\libarv32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
--
End of file - 7162 bytes
-
Hello ahullsb.
First off, you don't seem to be running avast! on the machine that the HJT log is from. You can download and install avast! from here www.avast.com/eng/download-avast-home.html (http://www.avast.com/eng/download-avast-home.html). After installing avast! i would recommend scheduling a boot time scan (Right click the avast! icon, select schedule a boot time scan, reboot when instructed.)
Reboot in safe mode then scan with MBAM (www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html (http://(www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html) or Superantispyware www.superantispyware.com/download.html (http://www.superantispyware.com/download.html)
After doing this, post another HJT log.
Specifically I see some elements of WinAntiVirus Pro 2006 in your HJT log. This is a scamware trying to scare you into purchasing software. You can read more about it here www.bleepingcomputer.com/startups/WinAV.exe-16637.html (http://www.bleepingcomputer.com/startups/WinAV.exe-16637.html)
-
someone else is looking at your hjt
have you tried Spybot Search and Destroy and Malware Bytes Anti-malware?
Spy-Cop specializes in Key Loggers
there is a free program called anti-hook
also see:
http://dewasoft.com/privacy/kldetector.htm -watch for FP's
Do you have Symantec AV installed
does a scan show anything?
If you remove Symantec also run their removal tool
post back
DO NOT INSTALL AVAST WITHOUT COMPLETELY REMOVING SYMANTEC with Add remove programs AND removal tool
your windows is NOT up to date
What Firewall?
lets get that scam anti malware 2006 cleaned up first
follow Mocked's instructions
-
I apologize in advance, I should have been more clear. I have gone through some steps to remove the keylogger and I think I am possibly clean now. Somebody helped me try and remove the stuff. I wanted see if someone would look at the original log to confirm that there was indeed a program called keytrapper installed there. I basically was looking for a second opinion to MAKE SURE that this stuff is gone. I have ran a series of programs. I have logs for these and will post them in the order they were performed. Windows is updated now, and I removed Norton with the Norton utility. I was afraid to update anything until I was sure the keylogger was removed. This person has enough information as it is. The log will show that the computer has avira installed, but I have been so impressed with avast on my own machine over the past few days that I am going to switch the other computer as well tomorrow. I will post a few more logs. Thank you very much by the way to whoever is checking this! We both appreciate it very much. I will post the logs in the order in which I performed them. I just wanted a second opinion since it appears there was someone pretty invasive programs installed.
-
Here is Deckard's log...Thanks in advance!
Deckard's System Scanner v20071014.68
Run by erin marston on 2008-04-13 23:43:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 2 Restore Point(s) --
2: 2008-04-14 06:44:02 UTC - RP182 - Deckard's System Scanner Restore Point
1: 2008-04-13 18:51:25 UTC - RP181 - Avira AntiVir Personal - 4/13/2008 11:51
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 447 MiB (512 MiB recommended).
System Drive C: has 1.08 GiB (less than 15%) free.
-- HijackThis (run as erin marston.exe) ----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:52 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wuauclt.exe
G:\apps\antivir_workstation_winu_en_h.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
G:\apps\deckard's system scanner.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\erin marston.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178407826677
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0123559-20DA-46A0-A957-62F3EF10708A}: NameServer = 204.127.199.8,0.0.0.0
O21 - SSODL: Manamweb - {46EA5072-170B-4E33-BB7B-C04AFE5151B8} - C:\WINDOWS\system32\libarv32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
--
End of file - 6533 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 FOPN - c:\windows\system32\drivers\fopn.sys <Not Verified; WinSofrware, Ltd.; FOPN.SYS>
-
(continued)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 AntiVirScheduler (Avira AntiVir Personal - Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 RioMSC (Rio MSC Manager) - c:\windows\system32\riomsc.exe <Not Verified; Digital Networks North America, Inc.; Rio Mass Storage Class Device Manager>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\187E1398004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\187E1398004603
Service: NIC1394
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_8158104D&REV_10\3&61AAA01&0&90
Manufacturer: Realtek
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_8158104D&REV_10\3&61AAA01&0&90
Service: rtl8139
-- Scheduled Tasks -------------------------------------------------------------
2003-12-29 15:06:38 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2003-12-29 15:06:38 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job
2003-12-29 15:06:37 258 --a------ C:\WINDOWS\Tasks\Registration reminder 1.job
-- Files created between 2008-03-13 and 2008-04-13 -----------------------------
2008-04-13 23:23:41 0 drahs---- C:\autorun.inf
2008-04-13 12:41:28 0 d-------- C:\Program Files\Avira
2008-04-13 12:41:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-13 01:42:08 0 d-------- C:\Program Files\Trend Micro
-- Find3M Report ---------------------------------------------------------------
2008-04-13 11:03:23 0 d-------- C:\Program Files\Common Files
2008-04-10 10:05:57 0 d-------- C:\Program Files\Lot Wizard
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [03/18/2003 03:49 PM C:\WINDOWS\system32\carpserv.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [02/27/2003 11:04 AM]
"ATIModeChange"="Ati2mdxx.exe" [09/04/2001 05:24 PM C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [03/25/2003 04:00 PM]
"Mouse Suite 98 Daemon"="ICO.EXE" [03/14/2002 04:46 PM C:\WINDOWS\system32\ico.exe]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [04/19/2003 10:08 PM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 10:29 AM]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [03/17/2003 09:00 AM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 11:42 AM]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [07/11/2002 05:24 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [06/12/2008 02:28 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1/23/2005 12:07:13 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Manamweb"= {46EA5072-170B-4E33-BB7B-C04AFE5151B8} - C:\WINDOWS\system32\libarv32.dll [08/04/2004 12:56 AM 1040384]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FWSvc]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d37df1a0-ebcf-11db-8cd7-000c412eae50}]
AutoRun\command- G:\LaunchU3.exe -a
*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
-- End of Deckard's System Scanner: finished at 2008-04-13 23:45:29 ------------
-
Deckard's extra log
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 446.98 MiB / 169.94 MiB
Pagefile Memory (total/avail): 1055.85 MiB / 811.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945.15 MiB
C: is Fixed (NTFS) - 13.97 GiB total, 1.08 GiB free.
D: is Fixed (NTFS) - 18.62 GiB total, 17.74 GiB free.
E: is Removable (No Media)
F: is CDROM (No Media)
G: is Removable (FAT32)
\\.\PHYSICALDRIVE0 - HITACHI_DK23EA-40 - 37.26 GiB - 3 partitions
\PARTITION0 - Unknown - 4.66 GiB
\PARTITION1 (bootable) - Installable File System - 13.97 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 18.62 GiB - D:
\\.\PHYSICALDRIVE1 - Memory Stick Slot
\\.\PHYSICALDRIVE2 - SanDisk SDDR-113 USB Device - 5.69 GiB - 1 partition
\PARTITION0 - Unknown - 5.69 GiB - G:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before install.
Windows Internal Firewall is disabled.
AntivirusOverride is set.
FirewallOverride is set.
AV: Avira AntiVir PersonalEdition v8.0.1.26 (Avira GmbH) Outdated
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe:*:Enabled:updater.exe"
"C:\\Program Files\\WinAntiVirus Pro 2006\\Support.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\Support.exe:*:Enabled:support.exe"
"C:\\Program Files\\WinAntiVirus Pro 2006\\WinAV.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\WinAV.exe:*:Enabled:winav.exe"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\erin marston\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JORDAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\erin marston
LOGONSERVER=\\JORDAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ERINMA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ERINMA~1\LOCALS~1\Temp
USERDOMAIN=JORDAN
USERNAME=erin marston
USERPROFILE=C:\Documents and Settings\erin marston
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
erin marston (admin)
jordan adenwala (admin)
-
(continued)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Photoshop Elements 2.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avira AntiVir Personal - Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\setup.exe /REMOVE
Canon Camera Window for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}
Canon EOS Kiss REBEL 300D WIA Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{31A57C3E-30DD-421F-B5C7-974DACB0D05F}
Canon PhotoRecord --> MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2236B741-6631-49AE-B76E-3E14CA01CC87}
Canon Utilities File Viewer Utility 1.3 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2D1C2321-8FDB-49B8-A66B-4008DC0B6B5D}
Canon Utilities PhotoStitch 3.1 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F11A403B-0DE9-4953-B790-7A2F014FBB2B}
Canon Utilities RemoteCapture 2.7 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{14220DB1-DD96-4BCD-B3D5-03A4EA6631C4}
Canon Utilities ZoomBrowser EX --> MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
DVgate Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\setup.exe"
Experience VAIO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{36FE914F-1B2B-4D83-B3E1-032A508E9EC4}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Home Office Page for Experience VAIO --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{374E48BA-CBC1-4134-86B9-7A97B0E76B2E}\setup.exe"
HotKey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB311F54-39D6-4A03-8E18-053D1B2833D7}\setup.exe" -l0x9
hp instant support --> C:\PROGRA~1\HEWLET~1\HPINST~1\Uninstall.exe CeS
HP Photo and Imaging 1.1 - Photosmart Cameras --> MsiExec.exe /X{88FC6895-EFC8-49d5-B190-F2D9F6B82E38}
ImageStation Tour --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28336AFC-722C-4E17-B286-2A7C906183C0}\setup.exe"
IMS AutoManager --> c:\automan.dmo\Unstall.exe
-
(continued)
InterVideo WinDVD 4 --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.0_03 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC1E4C93-C1E7-11D6-9D10-00010240CE95}\Setup.exe" Anytext
Java Web Start --> "C:\Program Files\Java Web Start\uninst-javaws.exe"
KARPOWER --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17AF6086-77CC-4598-9332-7E71591C41CA}\SetUp.Exe" -l0x9 anything
KARPOWER (Wise) --> C:\BLUEBOOK\UNWISE.EXE
Lot Wizard --> MsiExec.exe /X{5A6D10DB-47ED-41B9-97EA-B3B99E488AB8}
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Money 2003 --> MsiExec.exe /I{01F9D88C-3C86-4E82-840A-101A3221F67A}
Microsoft Money 2003 System Pack --> MsiExec.exe /I{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft PowerPoint Viewer 97 --> C:\Program Files\PowerPoint Viewer\setup\setup.exe
Microsoft Upgrade Offer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDEAF307-51B7-41FF-8B08-AE646117172E}\setup.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MoodLogic --> C:\WINDOWS\ml-uninstall-v10.exe
Music Visualizer Library 1.4.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\setup.exe" -l0x9
My Web Search (Popular Screensavers) --> rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsbar.dll,O
Netscape (7.02) --> C:\WINDOWS\NSUninst.exe /ua "7.02 (en)"
Network Smart Capture --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30642CE1-217B-40C0-92E2-6BF849599D9E}\setup.exe" -l0x9
OpenMG Limited Patch 3.2-03-02-21-08 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-21-08\HotFixSetup\setup.exe /u
OpenMG Limited Patch 3.2-03-02-25-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.2-03-02-25-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62F33B80-6244-4A70-A233-0DA13B640364}\Setup.exe" -l0x9 UNINSTALL
PictureGear Studio 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27C5164D-ED0E-4D64-B788-93305BD62100}\setup.exe"
QBFC 4.0 --> MsiExec.exe /X{565E29BB-5863-46FD-ABF3-8074FBB5BAFF}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Rio Internet Update --> MsiExec.exe /X{493F2531-C2E5-4B73-8B11-66E9CFDA9AFA}
Rio Music Manager --> MsiExec.exe /X{282EF7E3-AE54-48AE-A11D-27F512F23AB3}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SoftK56 Data Fax CARP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_8158104D\HXFSETUP.EXE -U -IVEN_10B9&DEV_5457&SUBSYS_8158104D
SonicStage 1.5.50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}\setup.exe" -l0x9 UNINSTALL
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Notebook Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{936FADC9-C609-471A-B6F2-A33E2E660D1A}\setup.exe" -l0x9
Sony on Yahoo! Essentials --> C:\Program Files\Yahoo!\unwise.exe C:\progra~1\yahoo!\install.log
Sony USB Mouse --> Pmuninst.exe MouseSuite98
Sony Utilities DLL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF3D45BB-2260-4008-88EA-492E7744A9DF}\setup.exe" -l0x9
Sony Video Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
URGE --> MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
VAIO DeepSea Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3147661C-2807-49EC-B971-3B0F23D95018}\setup.exe"
VAIO Help and Support --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}
VAIO Media 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\setup.exe" -l0x9 UNINSTALL
VAIO Media Music Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF733005-0F40-11D6-9254-0000F460E7A9}\setup.exe" -l0x9 UNINSTALL
VAIO Media Photo Server 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E30D77F-CE1B-4674-8AFB-0DE22E5AC3A8}\setup.exe" -l0x9
VAIO Media Platform 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DF0DD6E9-F673-4466-8353-70B50A506FD9}\setup.exe"
VAIO Media Redistribution 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\setup.exe" -l0x9 UNINSTALL
VAIO Media Setup 2.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CCAC48E4-4B4D-43CB-ABB5-E817E39873B3}\setup.exe" -l0x9
VAIO Registration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Support --> "c:\program files\support.com\client\bin\tgfix.exe" /rm /nq
VAIO Survey Standalone --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WinAntiVirus Pro 2006 2.1.255.2 --> "C:\Program Files\WinAntiVirus Pro 2006\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WINForms Desktop --> C:\PROGRA~1\WINFOR~1\UNWISE.EXE C:\PROGRA~1\WINFOR~1\INSTALL.LOG
WINForms® Desktop --> C:\PROGRA~1\WINFOR~1\UNWISE.EXE C:\PROGRA~1\WINFOR~1\INSTALL.LOG
-
(continued)
-- Application Event Log -------------------------------------------------------
Event Record #/Type8041 / Warning
Event Submitted/Written: 04/13/2008 01:32:19 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
WORM/RJUMP.C.1G:\AUTORUN.INF
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type30026 / Error
Event Submitted/Written: 04/13/2008 01:45:30 AM
Event ID/Source: 40 / i8042prt
Event Description:
An error occurred while trying to acquire the device ID of the mouse
Event Record #/Type30024 / Error
Event Submitted/Written: 04/13/2008 01:40:38 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
Event Record #/Type29994 / Warning
Event Submitted/Written: 04/10/2008 09:58:43 AM
Event ID/Source: 2504 / Server
Event Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{8796FC64-731D-4658-BFB0-5494DCDF30BD}.
Event Record #/Type29993 / Warning
Event Submitted/Written: 04/10/2008 09:58:34 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000C412EAE50. The IP address being used is 169.254.102.30.
Event Record #/Type29991 / Error
Event Submitted/Written: 04/10/2008 09:57:14 AM
Event ID/Source: 16 / Windows Update Agent
Event Description:
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.
-- End of Deckard's System Scanner: finished at 2008-04-13 23:45:29 ------------
-
Next came Jotti's log
Here is a scan from Jotti's log
Scan taken on 17 Aug 2008 19:27:17 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Program.eBlaster.origin
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found not-a-virus:Monitor.Win32.EBlaster.b
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Obfuscated.29 (paranoid heuristics) (probable variant)
Last file scanned at least one scanner reported something about: pccillin2007_2008_Keygen.rar (MD5: 654c537106445111ec37b1372c7b098d, size: 112355 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir TR/Dldr.Delf.jub
ArcaVir X
Avast X
AVG Antivirus Downloader.Generic7.XNO
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet Crackin.EBBA9CBC
Ikarus Trojan-Spy.Win32.Bancos.xe
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Sus/Keygen-A
VirusBuster X
VBA32 Trojan-Downloader.Win32.Delf.jub
-
Next was malwarebytes. Here is the malwarebytes log
Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2
6:55:42 AM 4/14/2008
mbam-log-04-14-2008 (06-55-42).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 89007
Time elapsed: 43 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 57
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 17
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\antiviruscom.avofficeprotect.1 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\avexplorer.shellextension (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\avexplorer.shellextension.2 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iefwbho.iefw (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\iefwbho.iefw.2 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wav6com.avofficeprotect (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wav6com.avofficeprotect.1 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\winpgintegrator.ieintegrator.1 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0b9a27eb-125f-4f3e-a35c-2769c47a1442} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2178f3fb-2560-458f-bdee-631e2fe0dfe4} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b5141620-c2b2-4d95-9f0f-134d99c87ab0} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1ac5c88a-dea7-462b-a232-04af5ca42e7e} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{723d54c7-7483-4eb8-8eed-ce5b2aea534d} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{367a86a5-d048-4785-86be-4e2706aafdd9} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{2bc32ef8-bb73-4099-bb2e-0f2951b3e276} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{732b6533-7f78-4c47-9c01-2979ba0829b9} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{367a86a5-d048-4785-86be-4e2706aafdd9} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\winantivirus pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\winantivirus pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\WinPGI.DLL (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fopn (Rogue.WinAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
-
(continued)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootStera (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\jordan adenwala\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\jordan adenwala\Application Data\WinAntiVirus Pro 2006\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\erin marston\Application Data\WinAntiVirus Pro 2006 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\erin marston\Application Data\WinAntiVirus Pro 2006\Logs (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006\AVScheduler.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Feedback on Support Quality.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Report Software Defect.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Request for Instructions.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Share Your Suggestions.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\Uninstall WinAntiVirus Pro 2006.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\WinAntiVirus Pro 2006 Knowledge base.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\WinAntiVirus Pro 2006 Manual.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\WinAntiVirus Pro 2006\WinAntiVirus Pro 2006.lnk (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\jordan adenwala\Application Data\WinAntiVirus Pro 2006\PGE.dat (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\jordan adenwala\Application Data\WinAntiVirus Pro 2006\Logs\update.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\jordan adenwala\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\jordan adenwala\Application Data\WinAntiVirus Pro 2006\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\erin marston\Application Data\WinAntiVirus Pro 2006\Logs\update.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\erin marston\Application Data\WinAntiVirus Pro 2006\Logs\wa6Support.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\erin marston\Application Data\WinAntiVirus Pro 2006\Logs\winav.log (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stera.exe (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
-
Next came the Panda scan log. (The tracking cookies were from the ex by the way)
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-14 16:41:18
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Avira AntiVir PersonalEdition 8.0.1.27 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
-
(continued)
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\JOozcvup
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\JOabuwli
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERysjzlr
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERaetfwc
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\JOoqvuhz
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\JOjvuohy
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERqrfsvb
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERntzsjt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERjqztsb
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERgmzcco
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\WA6P\Quar\JOuwtaia
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\erin marston\Cookies\erin marston@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERtugthk
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\WA6P\Quar\ERykjbhj
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\WA6P\Quar\ERlinfnc
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\WA6P\Quar\ERjjbcoj
00145792 Cookie/SexList TrackingCookie No 0 Yes No C:\WA6P\Quar\JOpyedkt
00167770 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOellwoh
00168058 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOtkbdoj
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\WA6P\Quar\ERwtxujy
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOentaoy
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOeptlgx
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOucktsn
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOtzjfzb
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOftfhgv
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOdyklku
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOghajbi
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOsvyhyd
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOrfkdlh
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOqvcckz
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOdnifrd
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOgslorv
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOcsirpr
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOblzykv
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JObkdfir
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOgugtzb
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOhvshdi
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOtscviu
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOniukot
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOmfjouq
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOnhzloz
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\WA6P\Quar\JOneuwlo
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\WA6P\Quar\ERltiycd
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\WA6P\Quar\ERmjeqpu
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERvkdosr
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERxnmtks
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERkighzb
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERkimfqe
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERlmhfnb
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERfyvgpz
00171982 Cookie/Quest�onMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERlnycol
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERbjqczk
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERddxcrj
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERrnglum
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERdjqapi
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERlqvpvs
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERtrvrka
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERwfdqgf
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\WA6P\Quar\ERiiymon
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\WA6P\Quar\JOanipik
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\WA6P\Quar\JOknreci
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\WA6P\Quar\JOzdmyrj
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\WA6P\Quar\JOopeoli
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\WA6P\Quar\JOfikzsn
00175950 Cookie/cs.sexcounter TrackingCookie No 0 Yes No C:\WA6P\Quar\JOxkixhs
-
(Continued)
00232552 application/winantivirus2006 HackTools No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\wa6p_is1
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERzlwium
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERxkfrgl
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERwevwnm
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERvpcnfz
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERvilquo
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERuirrhg
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERswkbum
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERrrlibt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERrgzndd
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERpfizni
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERpaqzdq
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERowkpgq
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERobbljy
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C�\WA6P\Quar\ERnigjjq
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERmokaas
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERmlrgoc
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERhmtajr
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\WA6P\Quar\ERfgqeqk
00366244 Application/NirCmd.A HackTools No 0 No No F:\Flash_Disinfector.exe[F:\Flash_Disinfector.exe][nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\erin marston\Desktop\Flash_Disinfector.exe[C:\Documents and Settings\erin marston\Desktop\Flash_Disinfector.exe][nircmd.exe]
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location ޥ
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description ޥ
;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002 ޥ
184379 MEDIUM MS08-001 ޥ
182048 HIGH MS07-069 ޥ
182046 HIGH MS07-067 ޥ
182043 HIGH MS07-064 ޥ
179553 HIGH MS07-061 ޥ
176382 HIGH MS07-057 ޥ
176383 HIGH MS07-058 ޥ
170911 HIGH MS07-050 ޥ
170907 HIGH MS07-046 ޥ
170906 HIGH MS07-045 ޥ
170904 HIGH MS07-043 ޥ
164915 HIGH MS07-035 ޥ
164913 HIGH MS07-033 ޥ
164911 HIGH MS07-031 ޥ
160623 HIGH MS07-027 ޥ
;===============================================================================
=================================================================================
===================
I hope that clears things up a bit. After running move it again I was hoping this computer looks clean now? Sorry again for the confusion.
-
first we had symantic
now antivir?
did you ever run a symantec or antivir scan?
remember what I said about removing symantec
goes ditto for antivir
http://www.avira.com/en/support/antivir_removal_tool.html
after removing Symantec and Antivir run this
http://dl.antivir.de/down/windows/registrycleaner_en.zip
you can run ccleaner to remove the cookies which clutter up your posts
you are still finding malware
MBAM got rid of the 2006 infection
I need to see another AV scan like kaspersky
run superantispyware and/or Spybot search and destroy scans then post up a new HJT be sure to close all browser windows
do not worry about restore points now
-
first we had symantic
now antivir?
did you ever run a symantec or antivir scan?
remember what I said about removing symantec
goes ditto for antivir
http://www.avira.com/en/support/antivir_removal_tool.html
after removing Symantec and Antivir run this
http://dl.antivir.de/down/windows/registrycleaner_en.zip
you can run ccleaner to remove the cookies which clutter up your posts
you are still finding malware
MBAM got rid of the 2006 infection
I need to see another AV scan like kaspersky
run superantispyware and/or Spybot search and destroy scans then post up a new HJT be sure to close all browser windows
do not worry about restore points now
She didn't think she had any antivirus program when I installed Avira. I want to install Avast for her because I have recently switched to it on my own machine and like it. I will use avira's uninstall link you recommended and run cc cleaner for her as well. I have run scans with Avira and it did not find anything. What malware is still appearing? Is it the tracking cookies from the last log that you are referring to? I will have access to her computer tomorrow so I will run a kaspersky scan as well, then post that log. Then I will run superantispyware as well if that is what you recommend. I was originally going to install spyware guard and spyware blaster for her, should I use superantispyware instead?
-
ok clean install of avast
run both the avira uninstall tool and the antivir registry cleaner
super anti spy is a on demand checker/ scanner- like Spybot scanner and MBAM in the free version
I was looking at the winantivirus2006
ccleaner should clean up the tracking cookies- not to worry
SAS and Spybot scans will find them too- -just get them out of the way so they do not clutter up your posts
I just want to make sure nothing else got installed along with winantivirus2006
put in spywareblaster
spywareguard not necessary now- we can talk about that kind of thing later
(how much memory and how fast a system does she have?)
did you run that free kelogger tool that I linked to?
there are two types of keyloggers, the "hook" kind (most of them) and the Kernel type- the real nasties
did you check for rootkits?
Post up a fresh hjt at the end of the day
I'm hoping that one of the HJT experts will look at
-
Thank you for the advice. I will do as you instructed. Unfortunately I will not be able to get her computer until tomorrow. I wanted to let you know that so you aren't checking this thread today/tonight. I have spyware guard and spyware blaster on my own machine, I'd be curious whether I too should get rid of either of them, or use superantispyware instead. For reference I use Comodo (with the malware scanner...oops), although I am about to switch to online armour. I'm using Avast antivirus. Spywareblaster and Spyware Guard are also on my machine. Any advise on whether adding superantispyware would cause conflicts with these other programs would be appreciated, and if so, which from the above list I should remove. I accidentally installed the full version of Comodo with the malware portion and then installed Avast. I realize the possibility of conflicting software now, and that is why I am going to switch Comodo to something that is strictly a firewall. Would it have caused problems with the other software when I installed them, or will switching the firewall program be sufficient to correct the problem?
-
spyware guard and blaster are Excellent tools and JAvacool is one of the best
leave em alone
nothing wrong with Comodo or Comodo anti malware it's just that it's list is duplicated
the good news is that it is proactive rather than reactive
I do not think that it would conflict with Avast but let's be careful about installing any other real time anti spyware (like t-timer or Spyware terminator or Windows Defender)
I do not see any reason to switch to online armour till the reast of the system gets sorted out
priorities-- anyone else have a comment- several threads on firewalls
I DO THINK THAT YOU/SHE should have real time anti-spyware- question is which one
DavidR uses paid MBAM, I use Paid Counterspy on this machine and free version of Pest Patrol on others
I am on Windows 98SE on most machines which limits choices or I would try Windows Defender
got a lot of horsepower
Spyware Doctor (free with Google toolbar- just do not DL the rest of it :) has good prevention
(AS with Comodo- good while it lasts)
Anyway let's lay the keylogger issue to rest
If you think there might be a Kernal type keylogger then you need to post in a specialist forum for help
we can catch the usual "hook" type
-
Any advise on whether adding superantispyware would cause conflicts with these other programs would be appreciated
No problems.
Would it have caused problems with the other software when I installed them, or will switching the firewall program be sufficient to correct the problem?
HIPS part of Comodo (or any other) does not conflict with avast.
-
SpywareGuard hasn't had any development for years and an outdated security application I feel is of little value.
@ wyrmrider
I use the free MBAM (not paid) but SuperAntiSpyware Pro (paid) version for my anti-spyware.
-
SuperAntiSpyware Pro (paid) version for my anti-spyware.
Surprise for me... I didn't noticed that.
-
sorry
I got it backward-
not to self- check the sig
I do think that one is required if the resources are there
sort of what I think about spywareguard is that the one with the red icon in the taskbar
been a while
still I'd like to suggest a replacement before removing it
It does work
Me
I'd switch to WinPatrol (although not exactly the same)
-
not to self- check the sig
You're right... I almost never look at well-known users signatures.
-
Update- She is coming back over in a few hours so I will be able to get to work on her machine.
Quick question- I am running Vista on my machine, and Windows Defender is built into that I believe. Does that mean I should not be using other real time spyware programs?
-
Short answer is YES ( you could always disable WD but show me a really good reason first- as of now IT is not conflicting with anything)
Windows Defender should work as well as spywareterminator for real time protection
I have not seen any write ups on this recently and the ones at Spywarewarrior are years old
I would not rely on WD as my primary anti malware scanner- but what's not to like if it finds something
Malware Bytes Anti Malware seems to be the GO TO on demand scanner
(and their Rogue Remover which targets different things)
Then Super Anti Spyware
Spybot Search and Destroy
-
Thank you for the information. I just downloaded the free version of Malwarebytes. 1.025 I believe. There is the Protection tab which asks whether I want to buy and register what I'm assuming is the real time protection. Is that the portion of malwarebytes that you are advising me NOT to run? This portion is being handled by windows defender correct?
-
Correct DO not run both at the same time
a decision on a change in realtime protection can be deffered till later
update MBAM and run a quickscan
if it finds anything click REMOVE - it will create a backupfile
post the log
mom better bake us some cookies for this
-
Update: I was finally able to get my hands on her computer again. I used the removal tools to get rid of old AV's. I reinstalled avast and it found nothing in the boot scan. I also ran malwarebytes which also found nothing. Spybot found a lot including some trojans it claims. We are running the first thorough scan of Avast right now. I don't see Winantivirus 2006 in the program files or anything, but did find it's icon in the control panel still. >:( I also installed threatfire and it found something initially and we quarantined it. When this final scan is done should I post a log from Kaspersky or a new HJT log or anything? I think my mom and my girlfriends computers are getting close to being officially cleaned! :) Any suggestions on how to tell whether Winantivirus is defeated or not? Or how to get the leftover icon out of the control panel? Thanks in advance for the help everyone.
Her protection is now as follows. Any suggestions or recommendations would be greatly appreciated. This is on a older Vaio running xp. It's a pentium 4 around 2.7 Ghz if I remember correctly. Only about 512-1 Gb of RAM:
Comodo firewall
Avast Home Edition
Threatfire
MBAM (free version)
Spybot S&D (SD helper & Tea Timer)
WinPatrol
-
It would have been nice if you had posted what trojans spybot found
you might google them
did you quarantine?
If only spybot found them you might want to post your spybot log here
http://forums.spybot.info/forumdisplay.php?f=22
read the stickle to see what they want on a first post-- possibly a hjt or something
post a link to this thread
and DO NOT ANSWER your first post their till some one helps you
of course we will be interested if they are fp's or something we missed
your list looks good
if mom uses IE add Spywareblaster by Javacool for active x protection
I'd also recommend MVPS or HPHosts
neither are resource intensive
with spybot be sure to update and reimmunize every Wednasday
Do you still have Windows Defender?
I have no problem with Windows Defender but do NOT have both it and T-timer
Windows Defender is updated regularly and makes a fine on-demand scanner if you are not using the real time
You have made great progress
where's the cookies?
-
THanks for the quick response. I ran the spybot scan last night before leaving her house and my girlfriend called me this morning with the results. I told her to select "fix the selected problems." I realized that I wasn't sure whether spybot logged these or not. Guess I will research that now. I'm assuming if you are recommending to post my spybot log that there must be one available. :) Threatfire found something as well that I quarantined to determine whether it was a false positive or not. I will post what it found as well.
I will add MVPS to her computer as you suggested. She does use I.E sometimes.
My apologies for muddying up my threads a little. I use Windows Defender on MY vista machine and Spybot as well, without Tea Timer. Her computer is an older xp laptop so I downloaded Spybot with Tea Timer and SD helper. She does not have Windows Defender. She does have WinAntivirus2006 in her control panel though. That is still driving me crazy. As soon as I get info from spybot I will post any info here, and I will definitely link them to this thread.
Give me an address and I'll send the cookies. :) Both my mom and girlfriend are teachers so between the two of them I get the best!
-
MVPS will work for any browser- good move
she will save lots of download time of worthless stuff as shown by all the blank spots and site not found messages- tell her she is not missing anything useful
When you say control panel do you mean add remove programs?
what happens when you click it?
If there is nothing for the shortcut to go to then there are utilities to remove the listing (shortcut)
I use the one in WinPatrol but there are many others
Uh What did she find
just cookies I hope :)
If there are any significant spybot hits post them up even if spybot quarantined them
or Threatfire
The Spybot forum is very busy so let's be sure of that there is a real problem before we bother their Malware removal forum If we have false positives we'll post in the Spybot S&D FP forum here
http://forums.spybot.info/forumdisplay.php?s=3bd3ee897bceb1a9b44b4ade0f233a97&f=16
-
I know spybot claimed to find trojans. I don't know if any were false positives. The WinAntivirus2006 is listed literally in "control panel." It is not in add/remove programs, and there aren't any program files that I can find. The only option for the icon in the control panel is create a shorcut and open. When I clicked open nothing happened, so I'm not sure if the program is still running, or whether it is a leftover icon...I will check the utility in win patrol, but that was why I wondered whether I should post another log to make sure it is not active anymore. I will post the spybot and threatfire logs as soon as I get to her computer again!