Author Topic: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan  (Read 11233 times)

0 Members and 1 Guest are viewing this topic.

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Hi,
Scans by Norton 360 shows that my system is infected with many instances of Backdoor.Graybird and Backdoor.Trojan. I have been unsuccessful in removing the viruses. Please help. Thanks

Log of HijackThis


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:16, on 23/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vaio-link.com/hub.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vaio-link.com/hub.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio-link.com/vu/ind.asp?u=m&h=0809
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [VAIO Update 3] "C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe"  /Stationary
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181519284609
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Avlib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 17575 bytes


Thanks.

Offline Basementgeek

  • LzD Fallen Heroes
  • Hero Member
  • *****
  • Posts: 1027
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #1 on: April 25, 2008, 07:08:32 PM »
Hi:

I will get you started on this.

Disconnect from the internet, close all browser windows including this.

Run an other HJT scan and check the following files to have HJT fix:

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab

Press the fixed check button.

Re boot the PC.

Do need to ask a couple of things what is this one?

O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.cn/download/SOPCORE.CAB

This looks one legit, but I question it:

O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe

Please go to VirusTotal here ……

http://www.virustotal.com/en/indexf.html

In the middle of the page you'll find a  Browse  button.



Copy and paste the following:

C:\Program Files\PrevxCSI\prevxcsi.exe               

Click the Send File button

Copy the report it create and paste that report in your next reply.

The scan can take awhile depending how busy their servers are.

Post another HJT log after you do another Norton scan.  Does Norton scan still finding anything?

BG

P.S. - You never updated your Java since your last log.  We will do this when we are done with the current problem.





Time is a thief- One more today here is one less tomorrow

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #2 on: April 29, 2008, 01:51:43 PM »
Hello Basement Geek,
How are you doing today? Thanks for your reply and solution to the problem. Ran HijackThis and fixed the issue that you highlighted.

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class)-
http://secure2.comned.com/signuptemplates/securelogin-devel.

About this one,
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) -
http://download.sopcast.cn/download/SOPCORE.CAB

I use sopcast to watch live football, boxing matches on the net.

The results of the scan at VirusTotal:

File prevxcsi.exe received on 02.28.2008 09:30:28 (CET)
Current status: finished

Result: 1/32 (3.12%)
 Compact Print results 
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - -
Ewido - - -
F-Prot - - -
F-Secure - - -
FileAdvisor - - -
Fortinet - - -
Ikarus - - -
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - -
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - -

Additional information
MD5: ab8dcc6bb30757f33985a737dd897971
SHA1: ef526b03a5f5ce3c199e91ca51e3d86a580c94be
SHA256: 8b269e214b2cc092d058c94a858da59be71986c79ab683bc7f10b4f822f612de
SHA512: 761563a406bbe9fa5da3538d6a12dabad0f568da9b7cb3b5c4f9cbfc93926785265395b8789beddee75e65e7836c9dbfbd556133893292eb204b2548ca65349c


Will post the new HijackThis Log after the Norton scan finishes.
Thank you so much. Take care.

Regards

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #3 on: April 29, 2008, 05:47:22 PM »
Hello Basmentgeek,
Scans by Norton 360 showed 1 instance of Backdoor.Graybird, 5 instances of Backdoor.Trojan amd 10 instances of Pwdump. The deails of Pwdump I found at http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2005-032616-0025-99&tabid=1.

HijackThis Log after the Norton Scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:45:50, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vaio-link.com/hub.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vaio-link.com/hub.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio-link.com/vu/ind.asp?u=m&h=0809
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [VAIO Update 3] "C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe"  /Stationary
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2706345242-1876754969-3410630596-1008\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Jasmine')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181519284609
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1209477755_fca69b4ecc67f1a1cb0166f6cd890ad2&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Avlib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 18694 bytes

Thanks
Regards

Offline Clark76

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 553
    • View Profile
    • Clark76.com
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #4 on: April 30, 2008, 10:26:23 AM »
Hello crazymonet

Basementgeek ask if I could step in on this log.  Please do the following:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
-------------------------

Please also list the locations and file names of what Norton is alerting you to.
Proud Member of ASAP
Proud Member of UNITE

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #5 on: April 30, 2008, 10:19:23 PM »
Heloo Clark76,
Thanks for stepping in to help me. Much appreciated.

Main.txt

Deckard's System Scanner v20071014.68
Run by Peter on 2008-04-30 22:56:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 80% (more than 75%).
Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Peter.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:56:57, on 30/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\V0270Mon.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Peter\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Peter.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vaio-link.com/hub.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vaio-link.com/hub.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio-link.com/vu/ind.asp?u=m&h=0809
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O1 - Hosts: 127.255.255.255 www.alcohol-soft.com
O1 - Hosts: 127.255.255.255 images.alcohol-soft.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [VAIO Update 3] "C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe"  /Stationary
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [V0270Mon.exe] C:\WINDOWS\V0270Mon.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.com/en/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181519284609
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1209477755_fca69b4ecc67f1a1cb0166f6cd890ad2&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Avlib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 18361 bytes

-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-30 21:38:02         0 dr-h----- C:\Documents and Settings\Peter\Recent
2008-04-29 15:11:00         0 d-------- C:\Program Files\Three Rings Design
2008-04-23 15:26:58         0 d-------- C:\Program Files\a-squared Anti-Malware
2008-04-22 22:45:56         0 d-------- C:\Documents and Settings\Peter\Application Data\TrojanHunter
2008-04-22 21:55:35         0 d-------- C:\Program Files\TrojanHunter 4.7
2008-04-22 21:51:46     77312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-04-22 21:51:45    162304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-04-22 21:51:45     69632 --a------ C:\WINDOWS\system32\ztvcabinet.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-04-22 21:51:45    153088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-04-22 21:51:45     75264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-04-22 21:51:36         0 d-------- C:\Documents and Settings\Peter\Application Data\Simply Super Software
2008-04-22 21:51:36         0 d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-04-21 13:15:30         0 d-------- C:\WhatBotsData
2008-04-13 17:28:54         0 d-------- C:\Program Files\SightSpeed
2008-04-12 01:55:13         0 d-------- C:\Live! Cam
2008-04-11 23:30:05         0 d-------- C:\Documents and Settings\Peter\Application Data\Creative
2008-04-11 20:52:36     41984 -----n--- C:\WINDOWS\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2008-04-11 20:50:11         0 d-------- C:\WINDOWS\CtDrvInstall
2008-04-11 20:47:47         0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-04-11 20:34:10         0 d-------- C:\Program Files\Creative
2008-04-10 13:03:13         0 d-------- C:\Documents and Settings\Peter\Contacts
2008-04-10 12:41:38         0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-10 12:41:18         0 d-------- C:\Program Files\Windows Live
2008-04-10 12:40:55         0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-10 11:46:29         0 d-------- C:\Program Files\Common Files\LogiShrd
2008-04-09 08:39:52         0 d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-04-08 15:51:07         0 d-------- C:\Program Files\ISTQB Sample Exam Questions
2008-04-04 23:20:21         0 d-------- C:\dvdsanta
2008-04-04 23:19:40    237568 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-04-04 23:19:40   1216512 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-04-04 23:19:40    921600 --a------ C:\WINDOWS\system32\vorbisenc.dll
2008-04-04 23:19:40    188416 --a------ C:\WINDOWS\system32\vorbis.dll
2008-04-04 23:19:40    237568 --a------ C:\WINDOWS\system32\OggDS.dll <Not Verified; ; Ogg DirectShow(tm) Filter Collection>
2008-04-04 23:19:40     45056 --a------ C:\WINDOWS\system32\ogg.dll
2008-04-04 18:24:16         0 d-------- C:\Documents and Settings\Peter\Application Data\Wireshark
2008-04-04 18:21:46         0 d-------- C:\Program Files\WinPcap
2008-04-04 18:21:07         0 d-------- C:\Program Files\Wireshark
2008-03-31 22:28:25         0 d-------- C:\Downloads <DOWNLO~2>
2008-03-31 22:28:25         0 d-------- C:\Bases
2008-03-31 21:27:36         0 d-------- C:\Documents and Settings\Peter\DoctorWeb


-- Find3M Report ---------------------------------------------------------------

2008-04-30 22:52:46         0 d-------- C:\Documents and Settings\Peter\Application Data\PrevxCSI
2008-04-30 21:33:00         0 d-------- C:\Documents and Settings\Peter\Application Data\StumbleUpon
2008-04-30 21:04:05         0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-30 11:48:22         0 d-------- C:\Documents and Settings\Peter\Application Data\OpenOffice.org2
2008-04-30 11:36:16         0 d-------- C:\Documents and Settings\Peter\Application Data\SiteAdvisor
2008-04-29 15:09:53         0 d-------- C:\Program Files\Java
2008-04-28 21:57:04         0 d-------- C:\Documents and Settings\Peter\Application Data\uTorrent
2008-04-23 17:46:11         0 d-------- C:\Program Files\mIRC
2008-04-22 10:31:20         0 d-------- C:\Program Files\Norton 360
2008-04-21 19:25:13         0 d-------- C:\Documents and Settings\Peter\Application Data\Skype
2008-04-21 18:59:29         0 d-------- C:\Documents and Settings\Peter\Application Data\skypePM
2008-04-13 16:59:16         0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-13 16:59:16         0 d-------- C:\Program Files\Common Files
2008-04-11 20:48:39        50 --a------ C:\AUTOEXEC.BAT
2008-04-04 23:22:59         0 d-------- C:\Program Files\dvdSanta
2008-04-02 22:55:02         0 d-------- C:\Program Files\SUPERAntiSpyware
2008-03-28 22:10:27         0 d-------- C:\Program Files\Dr.Hardware 2008 english
2008-03-28 22:02:31         0 d-------- C:\Documents and Settings\Peter\Application Data\JustVoip
2008-03-23 02:37:49         0 d-------- C:\Documents and Settings\Peter\Application Data\Nokia Multimedia Player
2008-03-18 19:00:54         0 d-------- C:\Program Files\Elaborate Bytes
2008-03-13 06:15:35      2515 --a------ C:\Documents and Settings\Peter\Application Data\SAS7_000.DAT
2008-03-11 11:50:49         0 d-------- C:\Program Files\PeerGuardian2
2008-02-22 19:40:53     98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [17/11/2004 12:47]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [24/11/2005 09:29]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [24/11/2005 09:29]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [24/11/2005 09:29]
"Mouse Suite 98 Daemon"="ICO.EXE" [14/03/2002 17:46 C:\WINDOWS\system32\ico.exe]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [13/12/2005 23:43]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [20/02/2004 15:12]
"PDService.exe"="C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [06/07/2004 15:15]
"@"="" []
"VAIO Update 3"="C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" [25/01/2007 20:41]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [30/03/2007 16:42]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 00:47]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [12/02/2007 09:17]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [20/06/2006 17:45]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [19/12/2007 23:39]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [15/03/2007 04:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/01/2008 16:27]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [29/01/2008 18:38]
"V0270Mon.exe"="C:\WINDOWS\V0270Mon.exe" [22/08/2007 01:03]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [23/04/2008 15:33]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [16/02/2005 16:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [11/01/2006 03:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [24/07/2007 23:32]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [17/12/2007 17:13]
"Creative Live! Cam Manager"="C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" [06/09/2006 09:42]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 23/09/2006 15:24 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   BthServ

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-04-30 22:58:09 ------------

Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel(R) CPU           T2300  @ 1.66GHz
CPU 1: Genuine Intel(R) CPU           T2300  @ 1.66GHz
Percentage of Memory in Use: 65%
Physical Memory (total/avail): 510.04 MiB / 174.08 MiB
Pagefile Memory (total/avail): 1245.34 MiB / 652.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.62 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 5.48 GiB free.
D: is Fixed (NTFS) - 30.28 GiB total, 4.09 GiB free.
E: is Removable (No Media)
F: is CDROM (No Media)
H: is CDROM (CDFS)

\\.\PHYSICALDRIVE1 - MemoryStick0 Device

\\.\PHYSICALDRIVE0 - ST98823AS - 74.53 GiB - 3 partitions
  \PARTITION0 - Unknown - 6.99 GiB
  \PARTITION1 (bootable) - Installable File System - 37.26 GiB - C:
  \PARTITION2 - Extended w/Extended Int 13 - 30.28 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)
AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\Peter\\My Documents\\utorrent.exe"="C:\\Documents and Settings\\Peter\\My Documents\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Documents and Settings\\Peter\\Application Data\\SopCast\\adv\\SopAdver.exe"="C:\\Documents and Settings\\Peter\\Application Data\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe"="C:\\Program Files\\JustVoip.com\\JustVoip\\JustVoip.exe:*:Enabled:JustVoip"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\SightSpeed\\SightSpeed.exe"="C:\\Program Files\\SightSpeed\\SightSpeed.exe:*:Enabled:SightSpeed"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Peter\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PETERARYA
ComSpec=C:\WINDOWS\system32\cmd.exe
DiskeeperIcon=C:\Program Files\Executive Software\DiskeeperLite\
DXSDK_DIR=C:\Program Files\Microsoft DirectX SDK (April 2007)\
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Peter
LOGONSERVER=\\PETERARYA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Program Files\PC Connectivity Solution\;C:\Program Files\Microsoft DirectX SDK (April 2007)\Utilities\Bin\x86;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Executive Software\DiskeeperLite\;C:\Program Files\QuickTime\QTSystem\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Peter\LOCALS~1\Temp
TMP=C:\DOCUME~1\Peter\LOCALS~1\Temp
USERDOMAIN=PETERARYA
USERNAME=Peter
USERPROFILE=C:\Documents and Settings\Peter
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Peter (admin)
Jasmine (admin)


-- Add/Remove Programs ---------------------------------------------------------

 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 -->
 --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
 --> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}
 --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}
 --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
 --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
 --> C:\WINDOWS\UNRecode.exe /UNINSTALL
 --> MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD836E74-7923-4174-A055-F97CD0F3BB46}\Setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9
 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 7.0 Elements -->
Adobe Acrobat 7.0 Elements --> msiexec /I {E5E6E687-1033-0000-0000-000000000002}
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000702}
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000703}
Adobe Acrobat 7.0.3 and Reader 7.0.3 Update --> MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000704}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Photoshop Elements 4.0 -->
Adobe Photoshop Elements 4.0 --> msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}
Adobe Premiere Elements 2.0 -->
Adobe Premiere Elements 2.0 --> msiexec /I {11C98E1A-EC91-4B38-B44C-C562292D8453}
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 -->
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Advanced Video FX Engine --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5BA7C09-E523-478C-9C37-A1D86C76383E}\setup.exe" -l0x9  /remove
AnalogX PortMapper --> C:\Program Files\AnalogX\PortMapper\pmapperu.exe
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bonus --> MsiExec.exe /I{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}
Brain Teasers --> C:\PROGRA~1\THETIM~1\BRAINT~1\UNWISE.EXE C:\PROGRA~1\THETIM~1\BRAINT~1\INSTALL.LOG
Brain Trainer --> "C:\Program Files\Mindscape\Brain Trainer\Uninstall.exe" "C:\Program Files\Mindscape\Brain Trainer\install.log" -u
CC_ccProxyExt --> MsiExec.exe /I{4AAD206E-0557-440F-8A98-94921A64BF4B}
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ccPxyCore --> MsiExec.exe /I{47A86BDE-6871-4A8A-BB49-21FAF754E00E}
CIB --> MsiExec.exe /I{E8176C35-0C2D-4142-9ED4-81861ECAB403}
Click to DVD 2.0.03 Menu Data --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E407618-D9CD-4F39-9490-9ED45294073D}\setup.exe" -l0x9  -removeonly
Click to DVD 2.5.32 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E809063C-51A3-4269-8984-D1EB742F2151}\setup.exe" -l0x9  -removeonly
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
CmdHere Powertoy For Windows XP --> MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
Creative Live! Cam Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6BE926E5-66F4-4166-A5E5-E14D7A165BBD}\setup.exe" -l0x9  /remove
Creative Live! Cam Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{15B3F9F8-4CF9-452A-9AF2-AA8553765DA7}\setup.exe" -l0x9  /remove
Creative Live! Cam Optia Driver (1.03.01.0000) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script VF0270.uns -unsext NT -plugin V0270Pin.dll -pluginres CtCamPin.crl
Creative Live! Cam Optia User's Guide (English) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative\Creative Live! Cam Optia\Creative Live! Cam Optia User's Guide\English\CTManual.isu"
Creative Photo Calendar --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2C81600D-D6C7-4687-9362-DD4A78B3483E}\setup.exe" -l0x9  /remove
Creative Photo Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{513D9FB1-27A2-44E4-8F2D-77A6737921A5}\setup.exe" -l0x9  /remove
Creative Software AutoUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\SETUP.EXE" -l0x9  /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9  /remove
Developer Certificate Request 2.1.1 --> C:\Program Files\InstallShield Installation Information\{4FDF4C76-5789-4AA9-8112-ADA95C79B798}\setup.exe -runfromtemp -l0x0009 -removeonly
Diskeeper Lite --> MsiExec.exe /X{A3F60446-48FB-48A8-B5FC-BB3430AEF806}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dragon NaturallySpeaking 9 --> MsiExec.exe /I{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}
DSA Theory Test --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{79D1BA4A-BEB4-4357-A431-C3EF58E72E6C}
DSD Direct --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C27BF761-C499-488D-A964-A3718BC6EC3E}\setup.exe" -l0x9
DSD Playback Plug-in 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C89EB8CD-675F-44F4-9729-4C9A8FAC2D4F}\setup.exe" -l0x9
dvdSanta 4.50 --> "C:\Program Files\dvdSanta\unins000.exe"
DVgate Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\setup.exe" -l0x9
ewido security suite free --> C:\Program Files\ewido\security suite\Uninstall.exe
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Google Earth --> MsiExec.exe /I{407B9B5C-DAC5-4F44-A756-B57CAB4E6A8B}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hazard Perception Training 2002-2003 --> MsiExec.exe /I{500D04BB-543A-49DF-A939-A67ABAA8238B}
HDAUDIO SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003\HXFSETUP.EXE -U -ISnyHDANk.inf
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Home Media Server 4.0.0.0072 --> C:\Program Files\SimpleCenter\uninstall.exe
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HTML 4.0 Session 1 --> C:\WINDOWS\lkunins2.exe -uAppDev.ini
IE Doctor 3.6 --> "C:\Program Files\IE Doctor\unins000.exe"
Image Converter 2 Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63B8FB69-A1B6-425D-B67D-5257B7A1F663}\setup.exe" -l0x9  /CONPANE
Intel(R) Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_27A6 PCI\VEN_8086&DEV_27A2
Intel(R) PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterVideo WinDVD for VAIO --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
iTunes --> MsiExec.exe /I{B85C4D19-6CEB-48CF-BD98-C887AC8C6F94}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Joost (tm) 0.12.0 --> C:\Program Files\Joost\uninst.exe
LAN Setting Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5958CAC6-373E-402F-84FE-0A699AA920B9}\setup.exe" -l0x9
Lexmark 4300 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxceUNST.EXE -NOLICENSE
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
McAfee SiteAdvisor --> C:\Program Files\SiteAdvisor\6253\uninstall.exe
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\Setup.exe" -l0x9 /UNINSTALL
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft DirectX SDK (April 2007) --> MsiExec.exe /I{5BDAEFB5-1FF6-45DA-AD07-910CD7F4B5EF}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Script Debugger --> RunDll32 advpack.dll,LaunchINFSection C:\Program Files\Microsoft Script Debugger\ScrptDbg.inf, Uninstall.NT
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Software Update for Web Folders (English) 12 -->
Microsoft User-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWudf01005$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSVC80_x86 --> MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
NeoTrace Pro 3.25 --> C:\PROGRA~1\NEOTRA~1\UNWISE.EXE C:\PROGRA~1\NEOTRA~1\INSTALL.LOG
Nero 7 Premium --> MsiExec.exe /X{A20A58C4-6784-4B4B-86CC-94E2E3671033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETg Skill Builder DX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40C2D00A-9235-4EA2-8AB9-2CAB7A842B49}\setup.exe"
Netscape Navigator (9.0.0.5) --> C:\Program Files\Netscape\Navigator 9\uninstall\helper.exe
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0A3D3C54-2EC0-4D67-B265-FF17926E6D67}
Nokia Map Loader --> C:\Program Files\Nokia Map Loader\Uninstall.exe
Nokia MTP driver --> MsiExec.exe /I{0E94871C-623C-464F-A117-B8474BFF84E1}
Nokia PC Suite --> C:\Documents and Settings\All Users\Application Data\Installations\{29466F9C-7C6A-419C-B301-F440FAF78760}\Nokia_PC_Suite_rel_6_85_14_1_eng_web.exe
Nokia PC Suite --> MsiExec.exe /I{29466F9C-7C6A-419C-B301-F440FAF78760}
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 --> MsiExec.exe /I{F413B69D-4AD6-42ab-AEA5-0548989FAD50}
Norton 360 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Add-on Pack (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}_1_1_0_38\{420F8FCF-8F5E-4518-A5B3-FBBD56B98FEC}.exe" /X
Norton AntiSpam --> MsiExec.exe /I{3B29A786-5803-4E9E-9B58-3014A5B4E519}
Norton AntiSpam --> MsiExec.exe /I{5677563D-0CB1-485F-9E18-C5025306BB3F}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security Bonus Pack --> MsiExec.exe /I{D4BB907A-623E-4F07-8787-041ABAE088E4}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Office 2003 Trial Assistant --> MsiExec.exe /I{47D2103B-FD51-4017-9C20-DD408B17D726}
OpenMG Limited Patch 4.3-05-10-05-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.3-05-10-05-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.3.00 -->
OpenMG Secure Module 4.3.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{F5E4C38C-73BC-4D44-8BFC-969C2B4DABCA} UNINSTALL
OpenOffice.org 2.1 --> MsiExec.exe /I{43983EB4-43DC-4C3D-9712-1EF592A31CA8}
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
PC Connectivity Solution --> MsiExec.exe /I{BA084E7C-8ABA-4670-BDE8-B85E689A5C1B}
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Prevx CSI Plus --> "C:\Program Files\PrevxCSI\\prevxcsi.exe" -uninstall
Privacy Eraser Pro --> "C:\Program Files\PrivacyEraser Computing\Privacy Eraser Pro\unins000.exe"
Puzzle Pirates --> C:\Program Files\Three Rings Design\Puzzle Pirates\Uninstall-yohoho.exe
QuickTime --> MsiExec.exe /I{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}
Real Alternative 1.52 --> "C:\Program Files\Real Alternative\unins000.exe"
Registry Mechanic 7.0 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Roxio DigitalMedia Audio --> MsiExec.exe /I{AB708C9B-97C8-4AC9-899B-DBF226AC9382}
Roxio DigitalMedia Copy --> MsiExec.exe /I{B12665F4-4E93-4AB4-B7FC-37053B524629}
Roxio DigitalMedia Data --> MsiExec.exe /I{075473F5-846A-448B-BCB3-104AA1760205}
SafeGuard® PrivateDisk 1.00.6 - Try and Buy Version --> MsiExec.exe /X{48E9DE14-39D1-4974-91A6-D4E1836F648D}
Sample Exam Questions: ISTQB Certified Tester Foundation Level --> "C:\Program Files\ISTQB Sample Exam Questions\unins000.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB934062) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Publisher 2007 (KB936646) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A32E4BAF-6477-45FA-B8AB-E743FA8D63FF}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Setting Utility Series --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59452470-A902-477F-9338-9B88101681BD}\setup.exe" -l0x9 UNINSTALL
SightSpeed (remove only) --> "C:\Program Files\SightSpeed\uninst.exe"
SigmaTel Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SonicStage 3.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
SonicStage Mastering Studio 2.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF3B304B-8A18-452D-A19F-6012CA8418D7}\setup.exe" -l0x9
SonicStage Mastering Studio Audio Filter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB467B85-4F52-48C2-AEED-0673D00417B0}\setup.exe" -l0x9
SonicStage Mastering Studio Audio Filter Custom Preset --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}\setup.exe" -l0x9

Offline Clark76

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 553
    • View Profile
    • Clark76.com
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #6 on: May 01, 2008, 12:56:20 AM »
Quote from: Clark76
Please also list the locations and file names of what Norton is alerting you to.

Please answer this question.

----------------

Do you know what this folder is:

C:\WhatBotsData

----------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        • Scan Mail Bases
    • Click OK & have it scan My Computer
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
    * Turn off the real time scanner of any existing antivirus program while performing the online scan

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Proud Member of ASAP
Proud Member of UNITE

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #7 on: May 01, 2008, 04:47:20 PM »
Hello Clark76,
Thanks for your reply.

Locations and file names are

Pwdump =
[srv_legacy.dll] inside of [h:\tools\back oriffice\bo2k_1-1-3.zip]
[lsaext.dll] inside od [h:\tools\pwdump3\pwdump3.zip]

There were about 10 such Pwdump issues. More reasons to hate Norton now.
-------------------------------------------------------------------------------------------------------------------------------------------------
H drive is Alcohol 120 virtual  drive which had the image file loaded(Anti-Hacker tool kit) which I was reading. It is perhaps the reference of pwdump in  the material which prompted Norton 360 to throw up the false positives. Am I correct in assuming it is a false positive?

Backdoor.Graybird=
[dream.match.tennis.pro.v1.7x_kegen.exe] inside of [d:\x\dreammatchtennis pro]

Backdoor.Graybird seemed to be the keygen issue. I have deleted the file now.
--------------------------------------------------------------------------------------------------------------------------------------------------
WhatBotsData is the demo version Exam simulator for the ISTQB certification. And as far as I know it is a legit file.

Results of the Kaspersky online scanner


-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Thursday, May 01, 2008 11:38:40 AM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update:  1/05/2008
 Kaspersky Anti-Virus database records: 733591
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: extended
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   C:\
   D:\
   E:\
   F:\
   H:\

Scan Statistics:
   Total number of scanned objects: 116155
   Number of viruses found: 2
   Number of infected objects: 3
   Number of suspicious objects: 0
   Duration of the scan process: 03:10:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\C540764A.TMP   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\CF571889.TMP   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log   Object is locked   skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log   Object is locked   skipped
C:\Documents and Settings\Jasmine\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Jasmine\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Peter\Cookies\index.dat   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Ahead\Nero Home\bl.db   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Ahead\Nero Home\is2.db   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Identities\{6E340F95-85A3-4B65-9D81-EC0FAC7B5E3B}\Microsoft\Outlook Express\Folders.dbx   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Identities\{6E340F95-85A3-4B65-9D81-EC0FAC7B5E3B}\Microsoft\Outlook Express\Offline.dbx   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Application Data\Yahoo\Y!Msgr\merlin.log   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\History\History.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Temp\Perflib_Perfdata_dd4.dat   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Temp\~DFA76B.tmp   Object is locked   skipped
C:\Documents and Settings\Peter\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked   skipped
C:\Documents and Settings\Peter\My Documents\Nero-8.1.1.0b_eng_trial.exe/Toolbar.exe   Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm   skipped
C:\Documents and Settings\Peter\My Documents\Nero-8.1.1.0b_eng_trial.exe   7-Zip: infected - 1   skipped
C:\Documents and Settings\Peter\NTUSER.DAT   Object is locked   skipped
C:\Documents and Settings\Peter\ntuser.dat.LOG   Object is locked   skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-04-30.22-42-54.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\Bonus\Log\Shazam.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log   Object is locked   skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\AutoProtect.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\AVContext.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\AVManual.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\Backup.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\EmailScan.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\NCO.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log   Object is locked   skipped
C:\Program Files\Norton 360\Log\WDFScanner.log   Object is locked   skipped
C:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
C:\System Volume Information\_restore{E2B26291-978C-4292-BF26-0EE6FE9B36AC}\RP101\A0027008.exe   Infected: not-a-virus:Client-IRC.Win32.mIRC.621   skipped
C:\System Volume Information\_restore{E2B26291-978C-4292-BF26-0EE6FE9B36AC}\RP112\change.log   Object is locked   skipped
C:\WINDOWS\Debug\PASSWD.LOG   Object is locked   skipped
C:\WINDOWS\SchedLgU.Txt   Object is locked   skipped
C:\WINDOWS\SDE54D536.tmp   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1056EDE1-4E22-49D5-856D-D8E066907321}.bin   Object is locked   skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log   Object is locked   skipped
C:\WINDOWS\Sti_Trace.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\edb.log   Object is locked   skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb   Object is locked   skipped
C:\WINDOWS\system32\config\AppEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\default   Object is locked   skipped
C:\WINDOWS\system32\config\default.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\Internet.evt   Object is locked   skipped
C:\WINDOWS\system32\config\ODiag.evt   Object is locked   skipped
C:\WINDOWS\system32\config\OSession.evt   Object is locked   skipped
C:\WINDOWS\system32\config\SAM   Object is locked   skipped
C:\WINDOWS\system32\config\SAM.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SecEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY   Object is locked   skipped
C:\WINDOWS\system32\config\SECURITY.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\software   Object is locked   skipped
C:\WINDOWS\system32\config\software.LOG   Object is locked   skipped
C:\WINDOWS\system32\config\SysEvent.Evt   Object is locked   skipped
C:\WINDOWS\system32\config\system   Object is locked   skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd.sys   Object is locked   skipped
C:\WINDOWS\system32\drivers\sptd6781.sys   Object is locked   skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys   Object is locked   skipped
C:\WINDOWS\system32\h323log.txt   Object is locked   skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA   Object is locked   skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP   Object is locked   skipped
C:\WINDOWS\Temp\a2cache_1521765E.dat   Object is locked   skipped
C:\WINDOWS\Temp\cc40.tmp   Object is locked   skipped
C:\WINDOWS\Temp\cc41.tmp   Object is locked   skipped
C:\WINDOWS\Temp\cc42.tmp   Object is locked   skipped
C:\WINDOWS\Temp\cc43.tmp   Object is locked   skipped
C:\WINDOWS\Temp\JET7B84.tmp   Object is locked   skipped
C:\WINDOWS\Temp\JET7C9C.tmp   Object is locked   skipped
C:\WINDOWS\Temp\JET7E90.tmp   Object is locked   skipped
C:\WINDOWS\Temp\JET8047.tmp   Object is locked   skipped
C:\WINDOWS\wiadebug.log   Object is locked   skipped
C:\WINDOWS\wiaservc.log   Object is locked   skipped
C:\WINDOWS\WindowsUpdate.log   Object is locked   skipped
D:\System Volume Information\MountPointManagerRemoteDatabase   Object is locked   skipped
D:\System Volume Information\_restore{E2B26291-978C-4292-BF26-0EE6FE9B36AC}\RP112\change.log   Object is locked   skipped
D:\VAIO Entertainment\database\MtData.ldb   Object is locked   skipped
D:\VAIO Entertainment\database\MtData.mdb   Object is locked   skipped

Scan process completed.


Thank you once again for pointing me in the right direction. Take care.

Regards




Offline Clark76

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 553
    • View Profile
    • Clark76.com
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #8 on: May 02, 2008, 02:58:56 AM »
After reviewing both back oriffice and pwdump3 I suggest deleting these two folders:

h:\tools\back oriffice
h:\tools\pwdump3


Delete the following file:

C:\Documents and Settings\Peter\My Documents\Nero-8.1.1.0b_eng_trial.exe

-----------------

I would like for you to run another online scan

Establish an internet connection with Internet Explorer and go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Leave the scanning options at default and  press "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and post it in your next reply.
Proud Member of ASAP
Proud Member of UNITE

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #9 on: May 02, 2008, 01:08:18 PM »
Morning Clark76,

Deleted the folders
 
h:\tools\back oriffice
h:\tools\pwdump3

and also

C:\Documents and Settings\Peter\My Documents\Nero-8.1.1.0b_eng_trial.exe

The Bitdefender Online scan report

BitDefender Online Scanner
 
 
 
Scan report generated at: Fri, May 02, 2008 - 13:48:59
 
 
 
 
 
Scan path: C:\;D:\;E:\;F:\;H:\;
 
 
 
Statistics
 
Time
 02:12:51
 
Files
 758103
 
Folders
 13931
 
Boot Sectors
 4
 
Archives
 12495
 
Packed Files
 31598
 
 
   
Results
 
Identified Viruses
 2
 
Infected Files
 5
 
Suspect Files
 1
 
Warnings
 0
 
Disinfected
 0
 
Deleted Files
 6
 
 
 
 
Engines Info
 
Virus Definitions
 1189014
 
Engine build
 AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
 
Scan plugins
 16
 
Archive plugins
 42
 
Unpack plugins
 7
 
E-mail plugins
 6
 
System plugins
 5
 
 
 
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
 
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
 
 
 
  Scanned File
  Status
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/DISKEXPL.03/V3.03.CRA/NTEXP000.EXE=>(RAR Sfx o)=>NtExplorer.exe
 Infected with: Backdoor.Pcclient.GV
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/DISKEXPL.03/V3.03.CRA/NTEXP000.EXE=>(RAR Sfx o)=>NtExplorer.exe
 Deleted
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/DISKEXPL.03/V3.03.CRA/NTEXP000.EXE=>(RAR Sfx o)
 Update failed
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/DISKEXPL.03/V3.03.CRA/NTEXPLOR.EXE
 Infected with: Backdoor.Pcclient.GV
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/DISKEXPL.03/V3.03.CRA/NTEXPLOR.EXE
 Deleted
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso
 Update failed
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/RAID.REC.03/V3.03.CRA/RAID.EXE
 Infected with: Backdoor.Pcclient.GV
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso=>AUTOPLAY/PROGRAMS/RUNTIME..REC/RUNTIME..REC/RAID.REC.03/V3.03.CRA/RAID.EXE
 Deleted
 
C:\Documents and Settings\Peter\My Documents\Ultimate Recovery\Ultimate Recovery CD 2008.iso
 Update failed
 
C:\Program Files\ISP\Wanadoo\preload.EXE=>wise0006
 Suspected of: BehavesLike:Trojan.StartPage
 
C:\Program Files\ISP\Wanadoo\preload.EXE=>wise0006
 Disinfection failed
 
C:\Program Files\ISP\Wanadoo\preload.EXE=>wise0006
 Deleted
 
C:\Program Files\ISP\Wanadoo\preload.EXE
 Update failed
 
D:\Peter\1000_ must_ have_ Tutorials\Tutorials - blacksun.box.sk\coding\Batch File Programming.txt
 Infected with: Trojan.BAT
 
D:\Peter\1000_ must_ have_ Tutorials\Tutorials - blacksun.box.sk\coding\Batch File Programming.txt
 Deleted
 
D:\Peter\Great_Tuts.rar=>Great Tuts\Tutorials - blacksun.box.sk\coding\Batch File Programming.txt
 Infected with: Trojan.BAT
 
D:\Peter\Great_Tuts.rar=>Great Tuts\Tutorials - blacksun.box.sk\coding\Batch File Programming.txt
 Deleted
 
D:\Peter\Great_Tuts.rar
 Update failed
 
 
Thanks for your time and help so far, Clark76. Take care.

Regards
 
 
 
 
 
 
 
 
 

 


Offline Clark76

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 553
    • View Profile
    • Clark76.com
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #10 on: May 02, 2008, 04:28:57 PM »
Your log looks good :thumbsup:

Lets clear your restore points

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.
-------------

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to   Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION SPEECH

This is a good time to set up protection against further attacks. Read TonyKleins How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster

Spyware Guard
IE-Spyad

----------------

Happy and safe surfing :)
Proud Member of ASAP
Proud Member of UNITE

Offline crazymonet

  • Jr. Member
  • **
  • Posts: 24
    • View Profile
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #11 on: May 02, 2008, 08:08:05 PM »
Thanks for that, Clark76 :Hammys pint:.  :gwave: :beer:
You guys are a Godsend. Fab community, I must say.

I have cleared the restored points now and will download the programs that you have suggested. Just cant thank you enough for the time and help you have rendered. Really appreciate it and am very very grateful.

You guys have a safe and wonderful weekend. Take care.

Regards  :mitch:
 :thumbsup:

[attachment deleted by admin]

Offline Clark76

  • Malware Experts
  • Hero Member
  • *****
  • Posts: 553
    • View Profile
    • Clark76.com
Re: Help!!! System infected with Backdoor.Graybird and Backdoor.Trojan
« Reply #12 on: May 02, 2008, 11:32:20 PM »
You are very welcome :D
Proud Member of ASAP
Proud Member of UNITE