Trojan? winupdsvc.exe

View previous topic View next topic Go down

Trojan? winupdsvc.exe

Post by Iris on 8th March 2010, 4:25 pm

My computer has been slightly slow than average lately but I had always though that it has something to do with the lack of free space in my D drive (on average it has less than 10% free space, approximately 6GB. But my C drive has 49% free space, i.e almost 13GB ). Earlier today I did a scan using Trend Micro housecall full system scan and it informed me that there is a trojan (troj lethic.sma) in my computer.This file, winupdsvc.exe is identified as the trojan and it is located here: C:\Documents and Settings\LocalService

I then submitted the file to Kaspersky online file scanner and it told me that the file was infected with Trojan-Downloader.Win32.Refroso.gc

I'm quite reluctant to remove the winupdsvc.exe file because it might be false positive. Moreover there is no visible sign of Trojan infection on my computer.

Therefore I hope that you can help me to identify if this is really a trojan and if that's the case I hope you can tell me how to remove it.

Here's my HijackThis log:






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:03 AM, on 09-Mar-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\PSNotes\psn.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\PU Alarm Clock\Puac.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\YzShadow\YzShadow.exe
C:\DOCUME~1\Iris\LOCALS~1\Temp\HouseCall\housecall.bin
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
D:\Workspace\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]

LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]

LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]

LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]

LinkId=69157
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0

\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [TransBar] C:\Program Files\TransBar\TransBar.exe /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O4 - Startup: Post-it Notes.lnk = C:\Program Files\PSNotes\psn.exe
O4 - Startup: PU Alarm Clock.lnk = C:\Program Files\PU Alarm Clock\Puac.exe
O4 - Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: YzShadow.lnk = C:\Program Files\YzShadow\YzShadow.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]

\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program

Files\IEPro\iepro.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4

\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -

[You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

[You must be registered and logged in to see this link.]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program

Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common

Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1

\SYMANT~1\Rtvscan.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner -

C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: services32 update service - Unknown owner - C:\Documents and Settings\Iris\winupdsvc.exe (file

missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1

\AVLib\Sptisrv.exe

--
End of file - 9661 bytes

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 8th March 2010, 4:58 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O23 - Service: services32 update service - Unknown owner - C:\Documents and settings\Iris\winupdsvc.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 8th March 2010, 5:38 pm

Hello and thank you for replying.

I didn't expect there's so many infected files hidden in my computer. Here's the mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

09-Mar-10 1:26:29 AM
mbam-log-2010-03-09 (01-26-29).txt

Scan type: Quick Scan
Objects scanned: 129789
Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\memman.vxd (Rogue.sysCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Iris\Local Settings\Temp\CSM107.tmp (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Documents and Settings\Iris\Local Settings\Temp\CSM117.tmp (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
C:\Documents and Settings\Iris\Local Settings\Temp\CSM118.tmp (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 8th March 2010, 6:52 pm

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 9th March 2010, 5:29 am

I'm sorry for the extremely late reply; it was past midnight when I started this thread so I fell asleep after my previous post.

Here's the log from the file called Extra.txt:

OTL Extras logfile created on: 09-Mar-10 1:14:06 PM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = C:\\Documents and Settings\\Iris\\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\\WINDOWS | %ProgramFiles% = C:\\Program Files
Drive C: | 27.95 Gb Total Space | 14.69 Gb Free Space | 52.55% Space Free | Partition Type: NTFS
Drive D: | 65.21 Gb Total Space | 13.19 Gb Free Space | 20.22% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ELYANAMAIDIN
Current User Name: Iris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\]

[HKEY_CURRENT_USER\\SOFTWARE\\Classes\\]
.html [@ = FirefoxHTML] -- C:\\Program Files\\Firefox\\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\\\shell\\[command]\\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\\Program Files\\Microsoft Office\\OFFICE11\\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\\Program Files\\Microsoft Office\\OFFICE11\\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\\system32\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\PandaFirewall]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\SymantecFirewall]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\TinyFirewall]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\TrendFirewall]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\Monitoring\\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile]

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\GloballyOpenPorts\\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List]

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile\\AuthorizedApplications\\List]
"C:\\Program Files\\IEPro\\MiniDM.exe" = C:\\Program Files\\IEPro\\MiniDM.exe:*:Disabled:MiniDM -- (IE7Pro.com)
"C:\\Program Files\\uTorrent.exe" = C:\\Program Files\\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\\Program Files\\iTunes\\iTunes.exe" = C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{015C5B35-B678-451C-9AEE-821E8D69621C}_is1" = PeerBlock 1.0.0 (r181)
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{0C826C5B-B131-423A-A229-C71B3CACCD6A}" = CDDRV_Installer
"{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}" = Symantec AntiVirus Client
"{24BC8B57-716C-444F-B46B-A3349B9164C5}_is1" = Aegisub 2.1.7
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{29A725D7-50B6-33D5-8FAC-239EFC439C96}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - CHT
"{2FC1294D-6831-4423-99EF-8C3288223D87}" = VAIO Comfort Wallpaper
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite 5.009.00
"{30642CE1-217B-40C0-92E2-6BF849599D9E}" = Network Smart Capture
"{3101CB58-3482-4D21-AF1A-7057FC935355}" = KhalInstallWrapper
"{3147661C-2807-49EC-B971-3B0F23D95018}" = VAIO DeepSea Wallpaper
"{32A3A4F4-B792-11D6-A78A-00B0D0160180}" = Java(TM) SE Development Kit 6 Update 18
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}" = Music Visualizer Library 1.4.00
"{4D1D6640-CD43-4AD9-A52F-E48265DB28E0}" = VAIO BrightColor Wallpaper
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{62F33B80-6244-4A70-A233-0DA13B640364}" = OpenMG Secure Module 3.2
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6990A2BF-D1D2-11D3-81BC-00609789C908}" = Sony Video Shared Library
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage 1.6.00
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{761C9026-14F0-4352-8658-934558272404}" = VAIO Edit Components
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}" = Zune Desktop Theme
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{88DA0A52-3372-4803-971A-ADFB961707E8}" = PictureGear Studio 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{92354E91-92E0-3C7D-A030-936F88E75451}" = Microsoft .NET Framework 3.5 Language Pack SP1 - cht
"{936FADC9-C609-471A-B6F2-A33E2E660D1A}" = Sony Notebook Setup
"{93B80FB1-7A23-11D3-B250-00105A1F4184}" =
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E165F73-B2C3-4ABD-A0FE-1D244A57779C}" = VAIO BrightBlue Wallpaper
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A498D9EB-927B-459B-85D6-DD6EF8C2C564}" = erLT
"{AA171A69-F942-40DA-AE3A-EA91026A1CAE}" = VAIO Manual
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A82000000003}" = Adobe Reader 8.2.1
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6F7DBE7-2FE2-458F-A738-B10832746036}" = Microsoft Reader
"{BB311F54-39D6-4A03-8E18-053D1B2833D7}" = HotKey Utility
"{BF3B304B-8A18-452D-A19F-6012CA8418D7}" = SonicStage Mastering Studio 1.1
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C46A5F24-B91F-477C-B634-DB99A7D7792A}" = TablePCRT
"{C8C8387B-A98B-44E8-807A-1A9B7F51FFDA}" = Blaze Media Pro
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Picture Package Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DCB53CB5-E82D-4F5E-BFE2-CBB200E19BEF}" = PowerPanel
"{DEBACE7E-5DD1-42DB-AFE7-2B60E7CC80A8}" = Microsoft GB18030 Support Package
"{EDFE2E1D-FF41-369C-9F54-86EFA9DB8833}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - CHT
"{EE7EB179-5AA2-4B28-AC92-5CBAAF82BA7F}" = SonicStage Mastering Studio Plugins 1.0
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}" = Logitech SetPoint
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"Blaze Media Pro" = Blaze Media Pro
"CCleaner" = CCleaner
"CDisplay_is1" = CDisplay 1.8
"CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_816A104D" = SoftK56 Data Fax
"HijackThis" = HijackThis 2.0.2
"IE7Pro" = IE7Pro
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 5.5.1
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 Language Pack SP1 - cht" = Microsoft .NET Framework 3.5 語言套件 SP1 - 繁體中文
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"mIRC" = mIRC
"MouseSuite98" = Sony USB Mouse
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"OpenMG HotFix3.2-03-01-16-01" = OpenMG Limited Patch 3.2-03-02-21-08
"OpenMG HotFix3.2-03-01-16-02" = OpenMG Limited Patch 3.2-03-03-18-01
"OpenMG HotFix3.2-03-04-14-02" = OpenMG Limited Patch 3.2-03-04-14-02
"Peter's Ultimate Alarm Clock_is1" = Peter's Ultimate Alarm Clock version 2.0.8
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"psn" = Post-it® Software Notes
"Sony Ericsson Themes Creator" = Sony Ericsson Themes Creator 4.12.2.4
"Tweak UI 2.10" = Tweak UI
"VLC media player" = VLC media player 1.0.5
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
"Youtube Downloader HD_is1" = Youtube Downloader HD v. 1.3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall]
"TransBar" = TransBar
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 04-Feb-10 12:26:27 AM | Computer Name = ELYANAMAIDIN | Source = MsiInstaller | ID = 11311
Description = Product: Java Auto Updater -- Error 1311.Source file not found(cabinet):
C:\\Documents and Settings\\Iris\\Application Data\\Sun\\Java\\AU\\au.cab. Verify that
the file exists and that you can access it.

Error - 04-Feb-10 12:35:07 AM | Computer Name = ELYANAMAIDIN | Source = MsiInstaller | ID = 11311
Description = Product: Java Auto Updater -- Error 1311.Source file not found(cabinet):
C:\\Documents and Settings\\Iris\\Application Data\\Sun\\Java\\AU\\au.cab. Verify that
the file exists and that you can access it.

Error - 05-Feb-10 3:14:59 AM | Computer Name = ELYANAMAIDIN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 05-Feb-10 3:15:06 AM | Computer Name = ELYANAMAIDIN | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 07-Feb-10 5:16:13 AM | Computer Name = ELYANAMAIDIN | Source = Application Error | ID = 1000
Description = Faulting application themescreator.exe, version 4.8.0.1, faulting
module themescreator.exe, version 4.8.0.1, fault address 0x000e8e6b.

Error - 07-Feb-10 5:16:17 AM | Computer Name = ELYANAMAIDIN | Source = Application Error | ID = 1001
Description = Fault bucket 1461018446.

Error - 07-Feb-10 5:16:32 AM | Computer Name = ELYANAMAIDIN | Source = Application Error | ID = 1000
Description = Faulting application themescreator.exe, version 4.8.0.1, faulting
module themescreator.exe, version 4.8.0.1, fault address 0x000e8e6b.

Error - 07-Feb-10 5:17:49 AM | Computer Name = ELYANAMAIDIN | Source = Application Error | ID = 1000
Description = Faulting application themescreator.exe, version 4.8.0.1, faulting
module themescreator.exe, version 4.8.0.1, fault address 0x000e8e6b.

Error - 20-Feb-10 4:41:01 AM | Computer Name = ELYANAMAIDIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module unknown, version 0.0.0.0, fault address 0x151ec1bc.

Error - 20-Feb-10 4:41:08 AM | Computer Name = ELYANAMAIDIN | Source = Application Error | ID = 1001
Description = Fault bucket 1047920714.

[ System Events ]
Error - 03-Mar-10 7:03:16 PM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 04-Mar-10 9:35:18 PM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 05-Mar-10 9:01:47 PM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 06-Mar-10 3:09:07 AM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 07-Mar-10 12:50:03 AM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 07-Mar-10 3:52:28 AM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 07-Mar-10 8:08:14 AM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 08-Mar-10 5:11:45 AM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 08-Mar-10 1:03:53 PM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2

Error - 08-Mar-10 1:28:40 PM | Computer Name = ELYANAMAIDIN | Source = Service Control Manager | ID = 7000
Description = The Adobe Active File Monitor service failed to start due to the following
error: %%2


< End of report >

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 9th March 2010, 5:30 am

Here's the second long form the OTL.txt file:

OTL logfile created on: 09-Mar-10 1:14:06 PM - Run 1
OTL by OldTimer - Version 3.1.35.0 Folder = C:\Documents and Settings\Iris\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.95 Gb Total Space | 14.69 Gb Free Space | 52.55% Space Free | Partition Type: NTFS
Drive D: | 65.21 Gb Total Space | 13.19 Gb Free Space | 20.22% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ELYANAMAIDIN
Current User Name: Iris
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-03-09 13:13:09 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Iris\Desktop\OTL.exe
PRC - [2010-01-16 11:09:37 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Firefox\firefox.exe
PRC - [2009-07-20 12:30:50 | 000,813,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2009-07-10 12:42:32 | 000,055,824 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008-04-23 02:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008-04-14 08:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006-11-03 19:20:12 | 000,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006-11-03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004-02-27 19:53:30 | 000,347,136 | ---- | M] (Peter's Productions) -- C:\Program Files\PU Alarm Clock\Puac.exe
PRC - [2003-10-10 14:53:20 | 000,675,840 | ---- | M] (3M) -- C:\Program Files\PSNotes\psn.exe
PRC - [2003-06-27 07:00:00 | 000,299,008 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\HotKey Utility\HKWnd.exe
PRC - [2003-06-27 07:00:00 | 000,090,112 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\HotKey Utility\HKServ.exe
PRC - [2003-06-24 01:11:46 | 000,872,448 | ---- | M] (Phoenix Technologies Ltd.) -- C:\Program Files\PowerPanel\Program\PcfMgr.exe
PRC - [2003-06-13 14:52:14 | 000,114,688 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003-05-21 01:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2003-05-21 01:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2003-05-21 01:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2003-02-26 10:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2002-09-30 21:09:06 | 000,151,552 | ---- | M] (Y'z@Home) -- C:\Program Files\YzShadow\YzShadow.exe
PRC - [2002-08-21 01:29:26 | 000,040,960 | ---- | M] (Easy Systems Japan Ltd.) -- C:\WINDOWS\system32\ezSP_Px.exe
PRC - [2002-03-15 07:46:58 | 000,045,056 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe


========== Modules (SafeList) ==========

MOD - [2010-03-09 13:13:09 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Iris\Desktop\OTL.exe
MOD - [2009-07-20 12:29:06 | 000,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2008-07-25 11:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2002-09-30 21:08:58 | 000,053,248 | ---- | M] () -- C:\Program Files\YzShadow\YzShadow.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (services32 update service)
SRV - File not found [Auto | Stopped] -- -- (AdobeActiveFileMonitor)
SRV - [2009-07-20 12:28:10 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006-11-03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2004-10-04 03:40:50 | 000,118,784 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)
SRV - [2003-05-21 01:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003-05-21 01:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2002-12-25 02:01:22 | 000,065,536 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)


========== Driver Services (SafeList) ==========

DRV - [2010-03-07 17:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100307.007\NAVEX15.SYS -- (NAVEX15)
DRV - [2010-03-07 17:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100307.007\NAVENG.SYS -- (NAVENG)
DRV - [2009-09-28 02:02:44 | 000,014,424 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2009-07-26 02:28:00 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2009-06-18 00:56:32 | 000,028,560 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2009-06-18 00:56:16 | 000,037,392 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2009-06-18 00:56:06 | 000,035,472 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2009-06-18 00:55:34 | 000,010,384 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2008-05-16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM)
DRV - [2008-05-16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS)
DRV - [2008-05-16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV - [2008-05-16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016mdm.sys -- (s0016mdm)
DRV - [2008-05-16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM)
DRV - [2008-05-16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016obex.sys -- (s0016obex)
DRV - [2008-05-16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016bus.sys -- (s0016bus) Sony Ericsson Device 0016 driver (WDM)
DRV - [2003-07-30 21:03:22 | 000,600,576 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2003-06-27 09:05:44 | 000,205,440 | ---- | M] (YAMAHA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yacxgc.sys -- (WDM_YAMAHAAC97)
DRV - [2003-06-11 04:06:00 | 002,477,952 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) Intel(R)
DRV - [2003-06-10 20:35:58 | 000,093,700 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003-05-02 21:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\Symantec AntiVirus\Navapel.sys -- (NAVAPEL)
DRV - [2003-05-02 21:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec AntiVirus\Navap.sys -- (NAVAP)
DRV - [2003-03-13 12:19:00 | 000,164,736 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2003-03-13 12:17:00 | 000,622,592 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003-03-13 12:15:00 | 001,106,944 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2002-11-19 08:20:44 | 000,030,976 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gv3.sys -- (gv3)
DRV - [2002-08-20 10:59:32 | 000,071,961 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyPI.sys -- (SPI)
DRV - [2000-12-06 07:18:02 | 000,003,952 | R--- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000-11-09 18:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.google.com.my/"
FF - prefs.js..extensions.enabledItems: {a0faa0a4-f1a7-4098-9a74-21efc3a92372}:3.6.2
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100211.5
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.2

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Firefox\components [2010-02-19 12:30:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Firefox\plugins [2010-02-19 12:30:07 | 000,000,000 | ---D | M]

[2009-07-26 15:53:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Iris\Application Data\Mozilla\Extensions
[2010-03-08 17:25:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Iris\Application Data\Mozilla\Firefox\Profiles\svdcccgs.default\extensions
[2010-02-19 13:41:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Iris\Application Data\Mozilla\Firefox\Profiles\svdcccgs.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010-03-03 21:07:45 | 000,000,000 | ---D | M] (DictionarySearch) -- C:\Documents and Settings\Iris\Application Data\Mozilla\Firefox\Profiles\svdcccgs.default\extensions\{a0faa0a4-f1a7-4098-9a74-21efc3a92372}
[2010-02-19 13:41:17 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Iris\Application Data\Mozilla\Firefox\Profiles\svdcccgs.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010-02-13 00:04:40 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Documents and Settings\Iris\Application Data\Mozilla\Firefox\Profiles\svdcccgs.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2010-02-19 12:34:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Iris\Application Data\Mozilla\Firefox\Profiles\svdcccgs.default\extensions\kempelton-fx@arvidaxelsson.se

O1 HOSTS File: ([2002-08-29 20:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IE7Pro BHO) - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKServ.exe (Sony Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [TransBar] C:\Program Files\TransBar\TransBar.exe (AKSoftware)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe (Phoenix Technologies Ltd.)
O4 - Startup: C:\Documents and Settings\Iris\Start Menu\Programs\Startup\Post-it Notes.lnk = C:\Program Files\PSNotes\psn.exe (3M)
O4 - Startup: C:\Documents and Settings\Iris\Start Menu\Programs\Startup\PU Alarm Clock.lnk = C:\Program Files\PU Alarm Clock\Puac.exe (Peter's Productions)
O4 - Startup: C:\Documents and Settings\Iris\Start Menu\Programs\Startup\YzShadow.lnk = C:\Program Files\YzShadow\YzShadow.exe (Y'z@Home)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O9 - Extra Button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra 'Tools' menuitem : IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra Button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O9 - Extra 'Tools' menuitem : IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\IEPro.dll (IE7Pro.com)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\System32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Iris\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Iris\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2003-08-16 06:37:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-03-09 13:12:53 | 000,554,496 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Iris\Desktop\OTL.exe
[2010-03-09 01:09:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Iris\Application Data\Malwarebytes
[2010-03-09 01:09:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-03-09 01:09:35 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-03-09 01:09:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010-03-09 01:09:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes Anti-Malware
[2010-03-07 02:21:39 | 000,000,000 | ---D | C] -- C:\Program Files\PU Alarm Clock
[2010-03-07 01:50:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Iris\Local Settings\Application Data\Abelssoft
[2010-03-03 21:22:45 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Iris\Recent
[2010-02-25 13:43:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Iris\Local Settings\Application Data\Sony Ericsson
[2010-02-25 00:45:24 | 000,000,000 | ---D | C] -- D:\My Documents\Iris\Downloads
[2010-02-23 13:45:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Iris\Application Data\vlc
[2010-02-23 13:44:28 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLan
[2010-02-23 07:12:01 | 000,000,000 | ---D | C] -- C:\Program Files\mIRC
[2010-02-23 07:12:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Iris\Application Data\mIRC
[2010-02-08 15:29:05 | 000,000,000 | ---D | C] -- C:\Program Files\Themes Creator
[2009-09-09 22:08:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009-08-13 16:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009-08-13 16:27:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\IEPro
[2009-08-13 16:27:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009-08-13 16:27:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009-07-28 09:05:00 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\Documents and Settings\All Users\Application Data\hpe177.dll
[2009-07-26 23:43:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009-07-26 22:45:12 | 000,288,048 | ---- | C] (BitTorrent, Inc.) -- C:\Program Files\uTorrent.exe
[2003-08-16 06:37:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-03-09 13:13:19 | 007,340,032 | -H-- | M] () -- C:\Documents and Settings\Iris\NTUSER.DAT
[2010-03-09 13:13:09 | 000,554,496 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Iris\Desktop\OTL.exe
[2010-03-09 01:31:44 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010-03-09 01:28:53 | 000,001,409 | ---- | M] () -- C:\WINDOWS\System32\Postin__.FOT
[2010-03-09 01:28:38 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-03-09 01:28:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-03-09 01:28:34 | 2146,488,320 | -HS- | M] () -- C:\hiberfil.sys
[2010-03-09 01:27:40 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Iris\ntuser.ini
[2010-03-09 01:09:40 | 000,000,699 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-03-07 18:20:09 | 000,103,424 | ---- | M] () -- C:\Documents and Settings\Iris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-07 17:04:45 | 000,000,524 | ---- | M] () -- C:\Documents and Settings\Iris\Desktop\Turn Off Screen.lnk
[2010-03-07 16:56:43 | 000,038,912 | ---- | M] () -- C:\Program Files\wizmo.exe
[2010-03-07 16:40:41 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Iris\Local Settings\Application Data\housecall.guid.cache
[2010-03-07 02:21:39 | 000,000,656 | ---- | M] () -- C:\Documents and Settings\Iris\Start Menu\Programs\Startup\PU Alarm Clock.lnk
[2010-03-06 22:40:59 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-03-04 21:54:01 | 000,003,580 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010-02-24 09:16:06 | 000,181,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010-02-24 03:06:21 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-02-22 01:48:54 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-03-09 01:09:40 | 000,000,699 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010-03-07 17:00:29 | 000,000,524 | ---- | C] () -- C:\Documents and Settings\Iris\Desktop\Turn Off Screen.lnk
[2010-03-07 16:56:36 | 000,038,912 | ---- | C] () -- C:\Program Files\wizmo.exe
[2010-03-07 16:40:41 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Iris\Local Settings\Application Data\housecall.guid.cache
[2010-03-07 02:21:39 | 000,000,656 | ---- | C] () -- C:\Documents and Settings\Iris\Start Menu\Programs\Startup\PU Alarm Clock.lnk
[2010-02-10 06:29:44 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010-02-06 06:38:34 | 000,749,696 | ---- | C] () -- C:\Documents and Settings\Iris\Application Data\8d51356f4bb435f1b6f84a242a76b34c-i686.cache-2
[2009-12-18 04:40:36 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009-12-18 04:40:33 | 002,378,752 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2009-12-18 04:40:16 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-12-18 04:40:16 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-12-18 04:40:14 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2009-12-18 04:40:08 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-12-18 04:40:08 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-10-03 14:32:31 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009-07-28 12:08:56 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2009-07-27 00:33:00 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009-07-26 02:39:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2009-07-24 04:21:52 | 000,103,424 | ---- | C] () -- C:\Documents and Settings\Iris\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-07-10 13:39:00 | 000,350,720 | ---- | C] () -- C:\Program Files\Hjsplit.exe
[2009-01-05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2005-10-03 14:57:18 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2005-01-19 12:18:52 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2004-10-06 06:37:20 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\Manipulate.dll
[2004-05-20 23:50:14 | 001,537,536 | ---- | C] () -- C:\WINDOWS\System32\erdmpg-hi.dll
[2004-02-02 03:21:56 | 000,097,280 | ---- | C] () -- C:\WINDOWS\System32\Uncommon.dll
[2003-09-04 02:55:44 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll
[2003-09-04 02:53:35 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2003-08-19 09:57:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2003-08-19 09:25:40 | 000,262,416 | ---- | C] () -- C:\WINDOWS\System32\ASFV2.DLL
[2003-08-19 09:22:52 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[2003-08-19 09:22:07 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2003-08-19 09:12:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PcfEdit.INI
[2003-08-19 09:08:22 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003-08-16 06:37:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003-08-16 06:22:51 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2003-08-16 06:22:50 | 000,003,692 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003-08-08 03:01:50 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2003-05-21 01:19:00 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\NavLogon.dll
[2002-11-24 20:40:36 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\ac3encode.dll
< End of report >

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 9th March 2010, 3:18 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    SRV - File not found [Disabled | Stopped] -- -- (services32 update service)
    SRV - File not found [Auto | Stopped] -- -- (AdobeActiveFileMonitor)
    O4 - HKLM..\Run: [] File not found



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 9th March 2010, 5:13 pm

Here's the log:

========== OTL ==========
Service services32 update service stopped successfully!
Service services32 update service deleted successfully!
Service AdobeActiveFileMonitor stopped successfully!
Service AdobeActiveFileMonitor deleted successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.

OTL by OldTimer - Version 3.1.35.0 log created on 03102010_011234

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 9th March 2010, 7:29 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 9th March 2010, 7:56 pm

Here's the log:

Malwarebytes' Anti-Malware 1.44
Database version: 3842
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10-Mar-10 3:55:20 AM
mbam-log-2010-03-10 (03-55-20).txt

Scan type: Quick Scan
Objects scanned: 130339
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 10th March 2010, 12:26 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 8.2.1
    µTorrent

Then download and install [You must be registered and logged in to see this link.]

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 10th March 2010, 3:52 pm

Thank you for your help, I think my computer is running at it's normal speed now.

I have a question, do I need to remove the winupdsvc.exe (see my first post in this thread for details) file since both Kaspersky and Trend Micro identified it as a trojan? Moreover that file still exists in C:\Documents and Settings\LocalService folder.

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 10th March 2010, 10:07 pm

Yes, have Kaspersky remove it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 11th March 2010, 6:25 pm

Kaspersky Online Scanner was unavailable, so I used Trend Micro's Housecall. The only action available from Housecall was to 'Fix' the file, which I did. I think Housecall may have removed the winupsvc.exe because it's no longer on C:\Documents and Settings\LocalService folder.

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Belahzur on 11th March 2010, 9:09 pm

Okay, good. This should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Trojan? winupdsvc.exe

Post by Iris on 12th March 2010, 5:31 pm

Thank you very much for helping me clean my computer.

Thank You!

Iris
Novice
Novice

Posts Posts : 22
Joined Joined : 2008-12-30
OS OS : Windows XP Pro SP3
Points Points : 29143
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum