1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Recovering from Antispyware attack

Discussion in 'Malware and Virus Removal Archive' started by Daanii, 2010/05/28.

  1. 2010/05/28
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    [Resolved] Recovering from Antispyware attack

    My wife's computer was attacked by the Antispyware virus. We got it stopped, but probably not eradicated. Here are the results from DDS.


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Noriko at 10:31:48.44 on Fri 05/28/2010
    Internet Explorer: 8.0.6001.18904
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1510 [GMT -7:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
    C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\PSIService.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
    C:\Windows\system32\igfxext.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Memeo\AutoBackup\InstantBackup.exe
    C:\Program Files\Memeo\AutoBackup\MemeoUpdater.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\Noriko\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    mURLSearchHooks: Isohunt-vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIsoh.dll
    mURLSearchHooks: H - No File
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Isohunt-vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIsoh.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Isohunt-vuze Toolbar: {6c3a1de1-94ca-4ad6-acdf-c1324adc487b} - c:\program files\isohunt-vuze\tbIsoh.dll
    TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe "
    uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe "
    mRun: [VAIOMyMemCenter] "c:\program files\sony\vaio my memory center\VAIO MyMemCenter.exe" 1
    mRun: [VWLASU] "c:\program files\sony\vaio wireless wizard\AutoLaunchWLASU.exe "
    mRun: [VAIO Help and Support Demo] "c:\program files\sony\vaio help and support demo\LaunchVHSD.exe "
    mRun: [VAIORegistration] "c:\program files\sony\first experience\WelcomeLauncher.exe "
    mRun: [VAIOSurvey] c:\program files\sony\vaio survey\Vista VAIO Survey.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [Memeo Instant Backup] c:\program files\memeo\autobackup\MemeoLauncher2.exe --silent --no_ui
    mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\aolddi.lnk - c:\ddi\AOLICON.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
    IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    Notify: VESWinlogon - VESWinlogon.dll
    AppInit_DLLs: c:\windows\system32\avgrsstx.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\noriko\appdata\roaming\mozilla\firefox\profiles\zk5s620o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://sankei.jp.msn.com/
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\pandora.tv\launcher\npmini.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-7 216200]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-7 29512]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-7 242896]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-12 916760]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-12 308064]
    R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2010-4-22 25824]
    R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-2-27 90112]
    R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
    R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
    R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2009-8-31 27632]
    R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-3-31 9344]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-3-31 812544]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-20 135664]
    S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-8-31 89256]
    S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-8-31 15016]
    S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-8-31 120744]
    S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-8-31 114216]
    S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-8-31 25512]
    S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-8-31 110632]
    S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-8-31 115752]
    S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\sony\vaio media plus\SOHCImp.exe [2008-4-29 104288]
    S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\sony\vaio media plus\SOHDms.exe [2008-4-29 350048]
    S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\sony\vaio media plus\SOHDs.exe [2008-4-29 63328]
    S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-3-31 333088]
    S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-3-31 87328]

    =============== Created Last 30 ================

    2010-05-28 07:44:10 0 d-----w- c:\program files\Trend Micro
    2010-05-28 07:36:41 0 d-sh--w- C:\$RECYCLE.BIN
    2010-05-28 07:24:07 98816 ----a-w- c:\windows\sed.exe
    2010-05-28 07:24:07 77312 ----a-w- c:\windows\MBR.exe
    2010-05-28 07:24:07 256512 ----a-w- c:\windows\PEV.exe
    2010-05-28 07:24:07 161792 ----a-w- c:\windows\SWREG.exe
    2010-05-28 07:24:02 0 d-----w- C:\ComboFix
    2010-05-26 13:46:01 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-25 02:14:03 0 d-----w- c:\users\noriko\appdata\roaming\GetRightToGo
    2010-05-25 01:30:22 0 d-----w- c:\program files\JRE
    2010-05-24 23:48:53 0 d-----w- c:\users\noriko\appdata\roaming\Memeo
    2010-05-24 23:48:34 0 d-----w- c:\users\noriko\appdata\roaming\Seagate
    2010-05-24 23:48:17 0 d-----w- c:\program files\common files\Memeo
    2010-05-24 23:48:13 0 d-----w- c:\program files\Memeo
    2010-05-24 23:47:02 0 d-----w- c:\program files\Seagate
    2010-05-13 00:41:06 0 d-----w- c:\program files\Plato DVD Ripper Professional
    2010-05-12 14:26:15 738304 ----a-w- c:\windows\system32\inetcomm.dll

    ==================== Find3M ====================

    2010-04-26 20:09:26 0 ----a-w- c:\users\noriko\appdata\roaming\CopyToGo.dat
    2010-04-21 15:45:15 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-04-21 15:45:15 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-04-21 15:45:15 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-04-20 16:20:42 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-19 15:24:58 3452 ----a-w- c:\windows\system32\KGyGaAvL.sys
    2010-03-12 17:54:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll
    2008-10-14 00:15:07 665600 ----a-w- c:\windows\inf\drvindex.dat
    2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2010-02-24 02:24:38 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\cookies\index.dat
    2010-02-24 02:24:38 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\history\history.ie5\index.dat
    2010-02-24 02:24:38 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
    2010-01-31 18:34:58 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-10-15 19:14:47 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2010-01-29 00:05:38 88 --sh--r- c:\windows\system32\6553A2785D.sys

    ============= FINISH: 10:34:00.71 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vistaâ„¢ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/13/2008 3:00:52 PM
    System Uptime: 5/28/2010 12:39:29 AM (10 hours ago)

    Motherboard: Sony Corporation | | VAIO
    Processor: Intel(R) Core(TM)2 Duo CPU T5750 @ 2.00GHz | N/A | 2000/167mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 225 GiB total, 49.378 GiB free.
    D: is Removable
    E: is Removable
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP742: 5/24/2010 6:24:13 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
    RP743: 5/24/2010 6:25:37 PM - Installed OpenOffice.org 3.2
    RP744: 5/26/2010 8:06:17 AM - Scheduled Checkpoint
    RP745: 5/27/2010 6:19:11 AM - Windows Update
    RP746: 5/28/2010 12:43:14 AM - Installed HiJackThis

    ==== Installed Programs ======================


    AAC Decoder
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.4
    Advertising Center
    Age of Empires III
    Age of Empires III - The Asian Dynasties
    Age of Empires III - The WarChiefs
    Alps Pointing-device for VAIO
    Any Video Converter 2.7.1
    Apple Software Update
    Ask Toolbar
    Æ’tÆ’HÆ’gEÆ’iÆ’rÆ’Q[Æ’^[1.5
    AutoUpdate
    Avanquest update
    AVG Free 9.0
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    Canon MF4360-4390
    CDBurnerXP
    Click to Disc
    Click to Disc Editor
    Compatibility Pack for the 2007 Office system
    Corel DVD Copy 6
    Corel Paint Shop Pro Photo X2
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DVD Copy
    ffdshow [rev 2083] [2008-08-21]
    Free 3GP Video Converter version 3.2
    Google Chrome
    Google Earth
    Google Update Helper
    H.264 Decoder
    HDAUDIO SoftV92 Data Fax Modem with SmartCP
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Graphics Media Accelerator Driver
    Isohunt-vuze Toolbar
    Japanese Fonts Support For Adobe Reader 8
    Java Auto Updater
    Java(TM) 6 Update 18
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6
    KeyHoleTV
    LimeWire 5.2.13
    Malwarebytes' Anti-Malware
    MapleStory
    Memeo Instant Backup
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    MKV Splitter
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Napster
    Napster Burn Engine
    Nero 9 Essentials
    Nero ControlCenter
    Nero Installer
    Nero Online Upgrade
    Nero StartSmart
    Nero StartSmart OEM
    neroxml
    OpenMG Secure Module 5.0.00
    OpenOffice.org 3.2
    Pando Media Booster
    PANDORATV LIVE
    Plato DVD Ripper Professional 6.66.14
    Player
    PowerCinema NE for Everio
    PowerDirector Express
    PowerProducer
    QuickTime
    Realtek High Definition Audio Driver
    Roxio Easy Media Creator 10 LJ
    Seagate Dashboard
    Security Update for CAPICOM (KB931906)
    Setting Utility Series
    SonicStage Mastering Studio Audio Filter Custom Preset
    Sony Ericsson Media Manager 1.2
    Sony Ericsson PC Suite 6.009.00
    Sony Video Shared Library
    Spelling Dictionaries Support For Adobe Reader 8
    SupportSoft Assisted Service
    TI Connect 1.6
    Uninstall 1.0.0.1
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VAIO Content Folder Setting
    VAIO Content Metadata Intelligent Analyzing Manager
    VAIO Content Metadata Manager Setting
    VAIO Content Metadata XML Interface Library
    VAIO Control Center
    VAIO DVD Menu Data Basic
    VAIO Entertainment Platform
    VAIO Event Service
    VAIO Help and Support
    VAIO Launcher
    VAIO Media plus
    VAIO Movie Story
    VAIO Movie Story Template Data
    VAIO MusicBox
    VAIO MusicBox Sample Music
    VAIO My Memory Center
    VAIO OOBE and Welcome Center
    VAIO Original Function Setting
    VAIO Power Management
    VAIO Startup Assistant
    VAIO Survey
    VAIO Update 3
    VAIO Wallpaper Contents
    VAIO Wireless Wizard
    VC80CRTRedist - 8.0.50727.762
    Veoh Video Compass
    Veoh Web Player Beta
    Vuze
    WildTangent Games
    Windows Live installer
    Windows Live Sign-in Assistant
    WinDVD for VAIO
    Xvid 1.1.3 final uninstall
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    5/28/2010 12:25:13 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    5/28/2010 12:25:12 AM, Error: Service Control Manager [7034] - The Sony Ericsson OMSI download service service terminated unexpectedly. It has done this 1 time(s).
    5/28/2010 12:24:55 AM, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX DfsC DMICall NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The VAIO Entertainment File Import Service service depends on the VAIO Entertainment Database Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    5/27/2010 11:45:21 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    5/27/2010 11:44:53 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    5/27/2010 11:44:51 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments " " in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    5/27/2010 11:44:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments " " in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    5/27/2010 11:44:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments " " in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    5/27/2010 11:44:17 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments " " in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    5/27/2010 11:44:13 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/27/2010 11:44:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments " " in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    5/27/2010 11:43:57 PM, Error: EventLog [6008] - The previous system shutdown at 11:39:33 PM on 5/27/2010 was unexpected.
    5/27/2010 11:37:57 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    5/27/2010 11:37:57 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments " " in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    5/27/2010 11:37:56 PM, Error: EventLog [6008] - The previous system shutdown at 11:35:09 PM on 5/27/2010 was unexpected.
    5/25/2010 11:19:18 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer OWNER-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{00D58EBC-8C73-4F18-8E06-7573A3C69. The master browser is stopping or an election is being forced.
    5/25/2010 1:57:35 PM, Error: EventLog [6008] - The previous system shutdown at 1:54:30 PM on 5/25/2010 was unexpected.
    5/24/2010 7:01:31 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Canon MF4360-4390 with shared resource name Canon MF4360-4390. Error 2114. The printer cannot be used by others on the network.
    5/24/2010 7:01:30 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer QuickBooks PDF Converter with shared resource name QuickBooks PDF Converter. Error 2114. The printer cannot be used by others on the network.
    5/23/2010 10:37:32 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Media Player Network Sharing Service service to connect.
    5/23/2010 10:37:32 AM, Error: Service Control Manager [7000] - The Windows Media Player Network Sharing Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    5/21/2010 6:40:48 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    5/21/2010 6:39:19 AM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 192.168.1.7:63331. The error status code is contained within the returned data.
    5/21/2010 6:39:19 AM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 192.168.1.101:63331. The error status code is contained within the returned data.
    5/21/2010 6:39:19 AM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 192.168.0.8:63331. The error status code is contained within the returned data.
    5/21/2010 6:39:19 AM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 192.168.0.5:63331. The error status code is contained within the returned data.
    5/21/2010 6:39:19 AM, Error: Microsoft-Windows-HttpEvent [15021] - An error occured while using SSL configuration for socket address 192.168.0.3:63331. The error status code is contained within the returned data.

    ==== End Of File ===========================
     
    Daanii,
    #1
  2. 2010/05/28
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them, and read the links above for educational value!

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    Admin.,
    #2


  3. to hide this advert.

  4. 2010/05/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #3
  5. 2010/05/29
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Results for Malwarebytes' Anti-Malware:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4152

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.18904

    5/28/2010 2:32:39 PM
    mbam-log-2010-05-28 (14-32-39).txt

    Scan type: Quick scan
    Objects scanned: 133227
    Time elapsed: 6 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{fa8edcdd-efa2-477b-b00a-7f28f02cd37e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Results for GMER. Done in safe mode.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-29 00:32:58
    Windows 6.0.6001 Service Pack 1
    Running: ktg5xd0g.exe; Driver: C:\Users\Noriko\AppData\Local\Temp\uxryqpod.sys


    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AA88B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74AE98A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74AAB9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A9FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AA7A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A9EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74ADB17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74AABC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74AA074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74AA06B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A971B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B2D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AC7379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A9E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A9697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A969A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[1572] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AA2465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    Results for HiJackThis but was unable to run it as administrator.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:42:59 AM, on 5/29/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
    C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
    C:\Program Files\Memeo\AutoBackup\InstantBackup.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Windows\system32\conime.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe "
    O4 - HKLM\..\Run: [VAIOMyMemCenter] "C:\Program Files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" 1
    O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe "
    O4 - HKLM\..\Run: [VAIO Help and Support Demo] "C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe "
    O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe "
    O4 - HKLM\..\Run: [VAIOSurvey] C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe
    O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKLM\..\Run: [Memeo Instant Backup] C:\Program Files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
    O4 - HKLM\..\Run: [Seagate Dashboard] C:\Program Files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe "
    O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: AOLDDI.lnk = C:\DDI\AOLICON.exe
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
    O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe
    O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDms.exe
    O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDs.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
    O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8977 bytes
     
    Daanii,
    #4
  6. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #5
  7. 2010/05/29
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    After getting Arie's message, we uninstalled all peer-to-peer software. (I think that software was installed more than a year ago, but it was not used as far as I know.) But some of that software still shows up in this list. I hope that is not a problem.

    Thanks for your help.


    ComboFix 10-05-29.02 - Noriko 05/29/2010 12:22:41.2.2 - x86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1840 [GMT -7:00]
    Running from: c:\users\Noriko\Downloads\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
    .

    2010-05-29 19:29 . 2010-05-29 19:29 -------- d-----w- c:\users\Noriko\AppData\Local\temp
    2010-05-29 19:29 . 2010-05-29 19:29 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-05-29 19:29 . 2010-05-29 19:29 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2010-05-29 19:29 . 2010-05-29 19:29 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-29 17:21 . 2010-05-29 17:21 388096 ----a-r- c:\users\Noriko\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-05-29 17:21 . 2010-05-29 17:21 -------- d-----w- c:\program files\Trend Micro
    2010-05-26 13:46 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-25 02:16 . 2010-05-25 02:16 8463808 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\tmp\AZU282494676886309602.tmp\Vuze_4.4.0.4_win32.exe
    2010-05-25 02:14 . 2010-05-25 02:14 -------- d-----w- c:\users\Noriko\AppData\Roaming\GetRightToGo
    2010-05-24 23:48 . 2010-05-24 23:48 -------- d-----w- c:\program files\Common Files\Memeo
    2010-05-24 23:41 . 2010-05-24 23:41 -------- d-----w- c:\users\Noriko\AppData\Roaming\Leadertech
    2010-05-20 23:00 . 2010-05-20 23:00 7282688 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\plugins\vuzexcode\ffmpeg.exe
    2010-05-20 23:00 . 2010-05-20 23:00 4141117 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\plugins\vuzexcode\mediainfo.exe
    2010-05-12 14:26 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-29 17:29 . 2010-03-08 14:11 680 ----a-w- c:\users\Noriko\AppData\Local\d3d9caps.dat
    2010-05-28 21:25 . 2009-05-03 00:14 -------- d-----w- c:\program files\QuickMediaConverter
    2010-05-28 21:24 . 2008-11-28 23:19 -------- d-----w- c:\programdata\WildTangent
    2010-05-28 21:13 . 2009-03-07 08:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-28 21:02 . 2009-09-28 23:09 -------- d-----w- c:\program files\Common Files\Nero
    2010-05-28 21:01 . 2009-09-28 23:09 -------- d-----w- c:\programdata\Nero
    2010-05-28 20:59 . 2008-03-31 17:36 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-05-28 20:58 . 2008-11-08 02:30 -------- d-----w- c:\program files\Yahoo!
    2010-05-28 20:54 . 2008-11-08 02:30 -------- d-----w- c:\program files\Veoh Networks
    2010-05-28 20:54 . 2009-01-10 00:37 -------- d-----w- c:\program files\Vuze
    2010-05-28 20:49 . 2008-10-23 22:51 -------- d-----w- c:\program files\PANDORA.TV
    2010-05-28 20:48 . 2009-01-07 04:32 -------- d-----w- c:\program files\OpenOffice.org 3
    2010-05-28 19:40 . 2008-04-29 12:40 -------- d-----w- c:\program files\Corel
    2010-05-28 19:40 . 2008-10-23 22:54 -------- d-----w- c:\users\Noriko\AppData\Roaming\Corel
    2010-05-28 19:36 . 2009-04-21 04:54 -------- d-----w- c:\program files\Common Files\AVSMedia
    2010-05-28 19:36 . 2009-04-21 04:54 -------- d-----w- c:\program files\AVS4YOU
    2010-05-28 19:34 . 2009-05-03 01:48 -------- d-----w- c:\users\Noriko\AppData\Roaming\Any Video Converter
    2010-05-28 19:29 . 2009-06-05 02:07 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-05-27 04:28 . 2009-01-07 04:43 1 ----a-w- c:\users\Noriko\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-05-25 03:00 . 2009-01-10 00:38 -------- d-----w- c:\users\Noriko\AppData\Roaming\Azureus
    2010-05-25 02:03 . 2008-10-13 23:15 89328 ----a-w- c:\users\Noriko\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-19 01:13 . 2009-04-18 17:59 -------- d-----w- c:\users\Noriko\AppData\Roaming\LimeWire
    2010-05-13 13:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-10 03:54 . 2010-02-20 18:26 -------- d-----w- c:\program files\Google
    2010-04-29 22:39 . 2009-03-07 08:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 22:39 . 2009-03-07 08:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 20:09 . 2009-10-24 21:04 0 ----a-w- c:\users\Noriko\AppData\Roaming\CopyToGo.dat
    2010-04-20 16:20 . 2009-03-07 22:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-19 15:24 . 2008-11-28 05:33 3452 ----a-w- c:\windows\system32\KGyGaAvL.sys
    2010-04-01 14:46 . 2010-04-01 14:46 627464 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-03-12 17:54 . 2010-03-12 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-12 17:54 . 2009-03-07 22:28 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-12 17:53 . 2009-03-07 22:28 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-05 14:01 . 2010-04-13 18:36 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-02 01:47 . 2009-01-10 04:48 10686001 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
    2010-03-02 01:35 . 2009-01-10 07:14 176 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\restart.bat
    2010-01-29 00:05 . 2008-11-28 05:33 88 --sh--r- c:\windows\System32\6553A2785D.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-05-28_07.33.31 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 01:58 . 2010-05-29 19:02 54680 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 13:05 . 2010-05-28 06:56 70098 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 13:05 . 2010-05-29 19:02 70098 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2008-10-13 23:16 . 2010-05-29 19:02 11870 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3812464802-841466475-3378223092-1000_UserData.bin
    + 2009-08-09 17:37 . 2010-05-29 19:02 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
    + 2008-10-13 23:09 . 2010-05-29 19:00 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-10-13 23:09 . 2010-05-28 06:55 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-10-13 23:09 . 2010-05-28 06:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-10-13 23:09 . 2010-05-29 19:00 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-04-05 01:51 . 2010-05-29 19:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-04-05 01:51 . 2010-05-28 06:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-04-05 01:51 . 2010-05-28 06:19 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-04-05 01:51 . 2010-05-29 19:01 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-04-05 01:51 . 2010-05-28 06:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-04-05 01:51 . 2010-05-29 19:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-10-31 01:57 . 2010-05-29 19:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-10-31 01:57 . 2010-05-28 06:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-10-31 01:57 . 2010-05-29 19:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-10-31 01:57 . 2010-05-28 06:54 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-10-31 01:57 . 2010-05-28 06:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-10-31 01:57 . 2010-05-29 19:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-05-29 19:00 . 2010-05-29 19:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-05-28 06:53 . 2010-05-28 06:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-05-28 06:53 . 2010-05-28 06:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-05-29 19:00 . 2010-05-29 19:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2008-03-31 19:57 . 2010-05-28 17:21 263056 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe
    - 2009-04-05 01:06 . 2010-05-28 06:22 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-04-05 01:06 . 2010-05-29 17:17 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2008-10-13 23:09 . 2010-05-29 19:00 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-10-13 23:09 . 2010-05-28 06:55 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\System32\Macromed\Flash\NPSWF32.dll
    + 2010-05-29 17:21 . 2010-05-29 17:21 1094656 c:\windows\Installer\cc47f.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
    @= "{AB0C8BE3-041C-47d6-8195-E089D32B38DD} "
    [HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
    2008-02-03 00:27 303104 ------w- c:\ddi\OverIcon.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "VeohPlugin "= "c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
    "Sony Ericsson PC Suite "= "c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
    "RtHDVCpl "= "RtHDVCpl.exe" [2008-01-23 4718592]
    "Apoint "= "c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
    "ISBMgr.exe "= "c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
    "VAIOMyMemCenter "= "c:\program files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" [2008-02-29 679936]
    "VWLASU "= "c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-02-19 24576]
    "VAIO Help and Support Demo "= "c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe" [2007-08-28 290816]
    "VAIORegistration "= "c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 20480]
    "VAIOSurvey "= "c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe" [2007-07-20 577536]
    "EverioService "= "c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-02 151552]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2007-08-15 03:05 98304 ------w- c:\windows\System32\VESWinlogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 135664]
    R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
    R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
    R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
    R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
    R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
    R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
    R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
    R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
    R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
    R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
    R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
    R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
    R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-12 216200]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-12 916760]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-12 308064]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
    S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 18:26]

    2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 18:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    FF - ProfilePath - c:\users\Noriko\AppData\Roaming\Mozilla\Firefox\Profiles\zk5s620o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://sankei.jp.msn.com/
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-29 12:29
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'Explorer.exe'(4580)
    c:\ddi\overicon.dll
    .
    Completion time: 2010-05-29 12:31:48
    ComboFix-quarantined-files.txt 2010-05-29 19:31
    ComboFix2.txt 2010-05-28 07:36

    Pre-Run: 61,904,908,288 bytes free
    Post-Run: 61,778,059,264 bytes free

    - - End Of File - - 4A9B31E317658A926DE791DE2D30E889
     
    Daanii,
    #6
  8. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\System32\6553A2785D.sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #7
  9. 2010/05/29
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Thanks for all your help.

    Here's the log:

    ComboFix 10-05-29.03 - Noriko 05/29/2010 14:24:39.3.2 - x86
    Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1469 [GMT -7:00]
    Running from: c:\users\Noriko\Downloads\ComboFix.exe
    Command switches used :: c:\users\Noriko\Desktop\CFScript.txt
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    FILE ::
    "c:\windows\System32\6553A2785D.sys "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\System32\6553A2785D.sys

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-29 )))))))))))))))))))))))))))))))
    .

    2010-05-29 21:30 . 2010-05-29 21:30 -------- d-----w- c:\users\Noriko\AppData\Local\temp
    2010-05-29 21:30 . 2010-05-29 21:30 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-05-29 21:30 . 2010-05-29 21:30 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2010-05-29 21:30 . 2010-05-29 21:30 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-29 17:21 . 2010-05-29 17:21 388096 ----a-r- c:\users\Noriko\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-05-29 17:21 . 2010-05-29 17:21 -------- d-----w- c:\program files\Trend Micro
    2010-05-26 13:46 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-05-25 02:16 . 2010-05-25 02:16 8463808 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\tmp\AZU282494676886309602.tmp\Vuze_4.4.0.4_win32.exe
    2010-05-25 02:14 . 2010-05-25 02:14 -------- d-----w- c:\users\Noriko\AppData\Roaming\GetRightToGo
    2010-05-24 23:48 . 2010-05-24 23:48 -------- d-----w- c:\program files\Common Files\Memeo
    2010-05-24 23:41 . 2010-05-24 23:41 -------- d-----w- c:\users\Noriko\AppData\Roaming\Leadertech
    2010-05-20 23:00 . 2010-05-20 23:00 7282688 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\plugins\vuzexcode\ffmpeg.exe
    2010-05-20 23:00 . 2010-05-20 23:00 4141117 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\plugins\vuzexcode\mediainfo.exe
    2010-05-12 14:26 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-29 17:29 . 2010-03-08 14:11 680 ----a-w- c:\users\Noriko\AppData\Local\d3d9caps.dat
    2010-05-28 21:25 . 2009-05-03 00:14 -------- d-----w- c:\program files\QuickMediaConverter
    2010-05-28 21:24 . 2008-11-28 23:19 -------- d-----w- c:\programdata\WildTangent
    2010-05-28 21:13 . 2009-03-07 08:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-28 21:02 . 2009-09-28 23:09 -------- d-----w- c:\program files\Common Files\Nero
    2010-05-28 21:01 . 2009-09-28 23:09 -------- d-----w- c:\programdata\Nero
    2010-05-28 20:59 . 2008-03-31 17:36 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-05-28 20:58 . 2008-11-08 02:30 -------- d-----w- c:\program files\Yahoo!
    2010-05-28 20:54 . 2008-11-08 02:30 -------- d-----w- c:\program files\Veoh Networks
    2010-05-28 20:54 . 2009-01-10 00:37 -------- d-----w- c:\program files\Vuze
    2010-05-28 20:49 . 2008-10-23 22:51 -------- d-----w- c:\program files\PANDORA.TV
    2010-05-28 20:48 . 2009-01-07 04:32 -------- d-----w- c:\program files\OpenOffice.org 3
    2010-05-28 19:40 . 2008-04-29 12:40 -------- d-----w- c:\program files\Corel
    2010-05-28 19:40 . 2008-10-23 22:54 -------- d-----w- c:\users\Noriko\AppData\Roaming\Corel
    2010-05-28 19:36 . 2009-04-21 04:54 -------- d-----w- c:\program files\Common Files\AVSMedia
    2010-05-28 19:36 . 2009-04-21 04:54 -------- d-----w- c:\program files\AVS4YOU
    2010-05-28 19:34 . 2009-05-03 01:48 -------- d-----w- c:\users\Noriko\AppData\Roaming\Any Video Converter
    2010-05-28 19:29 . 2009-06-05 02:07 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
    2010-05-27 04:28 . 2009-01-07 04:43 1 ----a-w- c:\users\Noriko\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-05-25 03:00 . 2009-01-10 00:38 -------- d-----w- c:\users\Noriko\AppData\Roaming\Azureus
    2010-05-25 02:03 . 2008-10-13 23:15 89328 ----a-w- c:\users\Noriko\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-21 21:14 . 2009-10-03 07:08 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-19 01:13 . 2009-04-18 17:59 -------- d-----w- c:\users\Noriko\AppData\Roaming\LimeWire
    2010-05-13 13:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-10 03:54 . 2010-02-20 18:26 -------- d-----w- c:\program files\Google
    2010-04-29 22:39 . 2009-03-07 08:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 22:39 . 2009-03-07 08:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 20:09 . 2009-10-24 21:04 0 ----a-w- c:\users\Noriko\AppData\Roaming\CopyToGo.dat
    2010-04-20 16:20 . 2009-03-07 22:28 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-19 15:24 . 2008-11-28 05:33 3452 ----a-w- c:\windows\system32\KGyGaAvL.sys
    2010-04-01 14:46 . 2010-04-01 14:46 627464 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-03-12 17:54 . 2010-03-12 17:54 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-03-12 17:54 . 2009-03-07 22:28 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-03-12 17:53 . 2009-03-07 22:28 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-03-05 14:01 . 2010-04-13 18:36 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-02 01:47 . 2009-01-10 04:48 10686001 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\plugins\azump\mplayer.exe
    2010-03-02 01:35 . 2009-01-10 07:14 176 ----a-w- c:\users\Noriko\AppData\Roaming\Azureus\restart.bat
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-05-28_07.33.31 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 01:58 . 2010-05-29 19:02 54680 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2006-11-02 13:05 . 2010-05-28 06:56 70098 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2006-11-02 13:05 . 2010-05-29 19:02 70098 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2008-10-13 23:16 . 2010-05-29 19:02 11870 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3812464802-841466475-3378223092-1000_UserData.bin
    + 2009-08-09 17:37 . 2010-05-29 19:02 84661 c:\windows\System32\Macromed\Flash\uninstall_plugin.exe
    + 2008-10-13 23:09 . 2010-05-29 19:33 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-10-13 23:09 . 2010-05-28 06:55 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-10-13 23:09 . 2010-05-28 06:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-10-13 23:09 . 2010-05-29 19:33 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-04-05 01:51 . 2010-05-29 19:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-04-05 01:51 . 2010-05-28 06:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-04-05 01:51 . 2010-05-28 06:19 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-04-05 01:51 . 2010-05-29 19:01 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-04-05 01:51 . 2010-05-28 06:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-04-05 01:51 . 2010-05-29 19:01 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-10-31 01:57 . 2010-05-29 19:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-10-31 01:57 . 2010-05-28 06:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-10-31 01:57 . 2010-05-29 19:00 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-10-31 01:57 . 2010-05-28 06:54 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-10-31 01:57 . 2010-05-28 06:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-10-31 01:57 . 2010-05-29 19:00 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-05-29 19:00 . 2010-05-29 19:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-05-28 06:53 . 2010-05-28 06:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2010-05-28 06:53 . 2010-05-28 06:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-05-29 19:00 . 2010-05-29 19:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2008-03-31 19:57 . 2010-05-28 17:21 263056 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2010-01-27 01:07 . 2010-01-27 01:07 256280 c:\windows\System32\Macromed\Flash\NPSWF32_FlashUtil.exe
    - 2009-04-05 01:06 . 2010-05-28 06:22 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-04-05 01:06 . 2010-05-29 17:17 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2008-10-13 23:09 . 2010-05-29 19:33 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-10-13 23:09 . 2010-05-28 06:55 376832 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-01-27 01:07 . 2010-01-27 01:07 3884312 c:\windows\System32\Macromed\Flash\NPSWF32.dll
    + 2010-05-29 17:21 . 2010-05-29 17:21 1094656 c:\windows\Installer\cc47f.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
    @= "{AB0C8BE3-041C-47d6-8195-E089D32B38DD} "
    [HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
    2008-02-03 00:27 303104 ------w- c:\ddi\OverIcon.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "ehTray.exe "= "c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "VeohPlugin "= "c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
    "Sony Ericsson PC Suite "= "c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
    "WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
    "RtHDVCpl "= "RtHDVCpl.exe" [2008-01-23 4718592]
    "Apoint "= "c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
    "ISBMgr.exe "= "c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
    "VAIOMyMemCenter "= "c:\program files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" [2008-02-29 679936]
    "VWLASU "= "c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-02-19 24576]
    "VAIO Help and Support Demo "= "c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe" [2007-08-28 290816]
    "VAIORegistration "= "c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 20480]
    "VAIOSurvey "= "c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe" [2007-07-20 577536]
    "EverioService "= "c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-02 151552]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2007-08-15 03:05 98304 ------w- c:\windows\System32\VESWinlogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs "=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 135664]
    R2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [2009-04-30 90112]
    R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
    R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
    R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
    R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
    R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
    R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
    R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
    R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
    R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
    R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
    R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
    R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-12 216200]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-04-20 242896]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-03-12 916760]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-12 308064]
    S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
    S3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\DRIVERS\seehcri.sys [2008-01-09 27632]
    S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 18:26]

    2010-05-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 18:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyOverride = <local>
    FF - ProfilePath - c:\users\Noriko\AppData\Roaming\Mozilla\Firefox\Profiles\zk5s620o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://sankei.jp.msn.com/
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-29 14:30
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    Completion time: 2010-05-29 14:33:02
    ComboFix-quarantined-files.txt 2010-05-29 21:32
    ComboFix2.txt 2010-05-29 19:31
    ComboFix3.txt 2010-05-28 07:36

    Pre-Run: 60,346,150,912 bytes free
    Post-Run: 60,206,608,384 bytes free

    - - End Of File - - 528ABCB4FCB1055C7A73A3B63FED8AC7
     
    Daanii,
    #8
  10. 2010/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very well :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ===========================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #9
  11. 2010/05/30
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Results for Kaspersky Online Scanner:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Saturday, May 29, 2010
    Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Sunday, May 30, 2010 01:50:02
    Records in database: 4195116
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\
    F:\

    Scan statistics:
    Objects scanned: 131813
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 01:38:21

    No threats found. Scanned area is clean.

    Selected area has been scanned.



    Results for HiJackThis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:13:05 PM, on 5/29/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18904)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
    C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
    C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe "
    O4 - HKLM\..\Run: [VAIOMyMemCenter] "C:\Program Files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" 1
    O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe "
    O4 - HKLM\..\Run: [VAIO Help and Support Demo] "C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe "
    O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe "
    O4 - HKLM\..\Run: [VAIOSurvey] C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe
    O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe "
    O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: AOLDDI.lnk = C:\DDI\AOLICON.exe
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/VistaMSNPUplden-us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
    O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe
    O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDms.exe
    O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDs.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
    O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 8432 bytes
     
    Daanii,
    #10
  12. 2010/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Re-run HJT and checkmark following items:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)

    Click "Fix checked" button.

    When done...


    Your computer is clean :)

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #11
  13. 2010/05/30
    Daanii

    Daanii Well-Known Member Thread Starter

    Joined:
    2002/04/04
    Messages:
    341
    Likes Received:
    2
    Broni,

    Thanks very much for all your help. My wife in particular appreciates knowing we have cleaned up her computer. And she knows what to be more careful about in the future.
     
    Daanii,
    #12
  14. 2010/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
    Good luck and stay safe :)
    I'll stop for a coffee, while in Millbrae :)
     
    broni,
    #13

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...