Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Malware, Trojans....


  • Please log in to reply
11 replies to this topic

#1 JWUequine08

JWUequine08

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:06:53 PM

Posted 19 November 2007 - 05:03 PM

I have gone waaaay over and above the requirements for the preparation for posting a log (a least I think so...)....I just want this thing gone!! I still have icons on my desktop labeled "Live Safety Center" and "Online Security Guide"...I have tried almost everything, (with some improvement) and now this...if you would like any more info on my situation, you can find it here: http://www.bleepingcomputer.com/forums/t/117206/infected-w-virtumonde/

Also, while you're here, checking out my log, can you tell me what I can do to improve my memory and increase the speed of my computer...mostly at startup..THANKS! :thumbsup:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:49 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\AOL\1159491388\ee\aolsoftware.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DCF7E1B-E1BE-426C-A5B2-7518498E7202} - (no file)
O2 - BHO: (no name) - {244F19A6-5CE1-4320-B8B7-3DAE1DC2AAEC} - (no file)
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D063EEF-7169-4E77-94BF-0F687D0EDC9E} - (no file)
O2 - BHO: (no name) - {71EF0655-85FF-4822-835E-A149BA17FBC8} - (no file)
O2 - BHO: (no name) - {72D1C699-7197-4C97-A9B0-854AFF3E9AB2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7635C333-FCB0-4F11-9597-D89FB4F83372} - (no file)
O2 - BHO: (no name) - {90BDADB9-0546-4FF7-A5E2-F6B6046BEAA4} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {DCA2C042-518E-48D4-8EBE-0EAA9095430F} - (no file)
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSurvey] "c:\program files\sony\vaio survey\surveysa.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [0D0F171212191A151] 44464E494950514.exe
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efccded - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11729 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 19 November 2007 - 06:36 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum JWUequine08 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it later once you're system is clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm

Disable SpySweeper by following these instructions:
http://wiki.castlecops.com/Malware_Removal...toring_Programs

Download DelDomains.zip and extract/unzip it to your desktop:
Now right click on Deldomains.inf then click on 'Install'.
After right clicking on Deldomains.inf 'Install' it will have appeared nothing happened,this is normal.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:06:53 PM

Posted 19 November 2007 - 08:40 PM

where can I find a recent copy of combofix, it is telling me it needs to be the most recent...I clicked on the link you included, am I doing something wrong?

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 20 November 2007 - 07:43 AM

There appears to be a problem with Combofix,do the following please.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#5 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:06:53 PM

Posted 22 November 2007 - 10:16 AM

Okay, here are the results...I did not do an additional HiJack This log, because I saw that this program includes this in its log....let me know if you want a separate one as well :thumbsup:


Deckard's System Scanner v20071014.68
Run by Elizabeth on 2007-11-22 10:10:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-11-22 15:11:00 UTC - RP7 - Deckard's System Scanner Restore Point
1: 2007-11-20 01:59:20 UTC - RP6 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as Elizabeth.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:02 AM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Elizabeth\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Elizabeth.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DCF7E1B-E1BE-426C-A5B2-7518498E7202} - (no file)
O2 - BHO: (no name) - {244F19A6-5CE1-4320-B8B7-3DAE1DC2AAEC} - (no file)
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D063EEF-7169-4E77-94BF-0F687D0EDC9E} - (no file)
O2 - BHO: (no name) - {71EF0655-85FF-4822-835E-A149BA17FBC8} - (no file)
O2 - BHO: (no name) - {72D1C699-7197-4C97-A9B0-854AFF3E9AB2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7635C333-FCB0-4F11-9597-D89FB4F83372} - (no file)
O2 - BHO: (no name) - {90BDADB9-0546-4FF7-A5E2-F6B6046BEAA4} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {DCA2C042-518E-48D4-8EBE-0EAA9095430F} - (no file)
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSurvey] "c:\program files\sony\vaio survey\surveysa.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [0D0F171212191A151] 44464E494950514.exe
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efccded - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11535 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 SPCSUtilityService - "c:\program files\sprint\sierra wireless\sprint pcs connection manager\spcsutilityservice.exe" <Not Verified; Sprint Spectrum, L.L.C; Sprint PCS Connection Manager>

S2 Ati HotKey Poller - c:\windows\system32\ati2evxx.exe (file missing)
S3 PACSPTISVR - c:\progra~1\common~1\sonysh~1\avlib\pacspt~1.exe <Not Verified; ; PACSPTISVR Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-11-22 10:09:00 412 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2007-11-20 08:56:46 268 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job


-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-19 14:06:48 0 dr-h----- C:\Documents and Settings\Elizabeth\Recent
2007-11-19 12:40:03 0 d-------- C:\autoruns
2007-11-19 12:15:47 4112 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-19 09:29:22 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-18 14:36:42 85056 --a------ C:\WINDOWS\system32\eyvoyaon.dll
2007-11-18 14:30:42 79424 --a------ C:\WINDOWS\system32\qihilllh.dll
2007-11-18 14:28:22 71232 --a------ C:\WINDOWS\system32\ypvobkmt.exe <Not Verified; ; DDC>
2007-11-18 13:38:29 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-11-18 13:37:53 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-11-18 13:35:23 0 d-------- C:\Program Files\Sygate
2007-11-18 13:27:52 82496 --a------ C:\WINDOWS\system32\ifsgfjdk.dll
2007-11-18 11:25:45 71232 --a------ C:\WINDOWS\system32\arveclwp.exe <Not Verified; ; DDC>
2007-11-17 13:04:04 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-17 13:02:48 0 d-------- C:\Program Files\Webroot
2007-11-17 13:02:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-17 13:02:17 164 --a------ C:\install.dat
2007-11-17 12:37:38 0 d-------- C:\Documents and Settings\Elizabeth\Application Data\Webroot
2007-11-17 11:46:27 0 d-------- C:\Documents and Settings\Elizabeth\.housecall6.6
2007-11-17 11:33:53 85056 --a------ C:\WINDOWS\system32\oupurcsy.dll
2007-11-17 11:27:56 82496 --a------ C:\WINDOWS\system32\kfbhigca.dll
2007-11-17 11:24:55 71232 --a------ C:\WINDOWS\system32\fnxtycji.exe <Not Verified; ; DDC>
2007-11-16 23:25:20 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-16 23:25:20 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-16 23:25:20 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-16 23:25:20 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-16 23:25:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-16 23:25:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-11-16 23:25:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2007-11-16 23:25:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-11-16 23:25:20 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-16 23:25:20 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-16 23:25:19 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-16 23:25:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-16 23:25:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-16 23:25:19 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-16 23:25:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-16 23:25:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-16 23:25:19 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-16 23:25:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-16 23:25:18 1572864 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-16 22:56:51 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-16 22:56:10 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-16 22:56:08 0 d-------- C:\Documents and Settings\Elizabeth\Application Data\SUPERAntiSpyware.com
2007-11-16 22:51:12 81984 --a------ C:\WINDOWS\system32\mbgkmuoe.dll
2007-11-16 22:51:04 85056 --a------ C:\WINDOWS\system32\sfegumxg.dll
2007-11-16 16:28:53 677920 ---hs---- C:\WINDOWS\system32\bvfjwrva.ini2
2007-11-16 16:28:15 85056 --a------ C:\WINDOWS\system32\avrwjfvb.dll
2007-11-16 16:25:18 81984 --a------ C:\WINDOWS\system32\hufekjbk.dll
2007-11-16 15:02:41 320 ---hs---- C:\WINDOWS\system32\uwabc.ini2
2007-11-16 14:24:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 13:05:52 0 d-------- C:\Program Files\Lavasoft
2007-11-16 13:05:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 13:04:37 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 09:13:37 0 d-------- C:\Program Files\Yahoo!
2007-11-16 09:11:42 0 d-------- C:\Program Files\CCleaner
2007-11-15 19:25:27 38912 --a------ C:\WINDOWS\system32\ssqoopn.dll
2007-11-15 19:24:20 35840 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-15 19:23:33 38912 --a------ C:\WINDOWS\system32\qomkjif.dll
2007-11-15 19:20:25 38912 --a------ C:\WINDOWS\system32\khfdcdd.dll
2007-11-15 19:19:43 0 d-------- C:\WINDOWS\system32\B1B3BBB6B6BDBEB
2007-11-15 19:19:42 35840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-15 19:19:24 0 d-------- C:\WINDOWS\system32\n8
2007-11-15 19:19:24 0 d-------- C:\WINDOWS\system32\i2
2007-11-15 19:19:24 0 d-------- C:\WINDOWS\system32\g2
2007-11-15 19:19:24 0 d-------- C:\WINDOWS\system32\e1
2007-11-15 19:19:22 0 d-------- C:\WINDOWS\system32\a1
2007-11-15 19:19:15 0 d-------- C:\WINDOWS\system32\rMa01yy
2007-11-15 19:19:14 0 d-------- C:\Temp
2007-11-15 15:27:39 0 d-------- C:\Documents and Settings\Elizabeth\Application Data\Thinstall
2007-10-22 09:38:35 0 d-------- C:\WINDOWS\system32\URTTemp


-- Find3M Report ---------------------------------------------------------------

2007-11-19 14:34:18 0 d-------- C:\Program Files\Java
2007-11-19 14:27:32 0 d-------- C:\Program Files\Trend Micro
2007-11-19 14:08:07 0 d-------- C:\Program Files\Online Services
2007-11-18 11:10:37 0 d-------- C:\Program Files\Ares
2007-11-17 14:55:26 0 d-------- C:\Program Files\Messenger
2007-11-16 13:04:37 0 d-------- C:\Program Files\Common Files
2007-11-13 02:43:47 0 d-------- C:\Program Files\MenuPro
2007-11-05 18:10:32 0 d-------- C:\Documents and Settings\Elizabeth\Application Data\Adobe
2007-11-05 12:05:30 0 d-------- C:\Program Files\AIM Gadgets
2007-10-30 03:35:32 0 d-------- C:\Program Files\Common Files\AOL
2007-10-29 19:22:37 0 d-------- C:\Program Files\Sony Handheld
2007-10-29 19:21:15 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-19 09:15:31 0 d-------- C:\Program Files\The Weather Channel Toolbar
2007-10-19 09:14:29 0 d-------- C:\Program Files\The Weather Channel FW
2007-10-16 17:06:41 0 d-------- C:\Program Files\Sierra Wireless
2007-10-16 17:04:59 0 d-------- C:\Program Files\Sprint


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DCF7E1B-E1BE-426C-A5B2-7518498E7202}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{244F19A6-5CE1-4320-B8B7-3DAE1DC2AAEC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D063EEF-7169-4E77-94BF-0F687D0EDC9E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71EF0655-85FF-4822-835E-A149BA17FBC8}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72D1C699-7197-4C97-A9B0-854AFF3E9AB2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7635C333-FCB0-4F11-9597-D89FB4F83372}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90BDADB9-0546-4FF7-A5E2-F6B6046BEAA4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCA2C042-518E-48D4-8EBE-0EAA9095430F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [11/07/2003 08:21 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/27/2004 11:10 PM]
"Mouse Suite 98 Daemon"="ICO.EXE" []
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [12/12/2003 01:03 AM]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [02/13/2004 01:01 AM]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [01/17/2004 05:36 AM]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [08/20/2002 01:29 PM]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [11/03/2003 01:55 PM]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [04/20/2003 12:08 AM]
"HostManager"="C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe" [05/09/2006 07:24 PM]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [02/17/2006 11:59 AM]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [05/22/2003 08:03 AM]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [04/08/2003 11:45 AM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [12/17/2002 10:40 AM]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [05/22/2003 07:55 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [05/07/2003 12:56 AM]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [07/05/2007 07:09 PM]
"0D0F171212191A151"="44464E494950514.exe" []
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [10/01/2007 04:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [03/16/2007 06:51 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [12/30/2006 2:12:08 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccded]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geeed.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"




-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

7487 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-11-22 10:13:00 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 66%
Physical Memory (total/avail): 446.98 MiB / 149.05 MiB
Pagefile Memory (total/avail): 1057.36 MiB / 667.82 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.33 MiB

C: is Fixed (NTFS) - 15.01 GiB total, 4.32 GiB free.
D: is Fixed (NTFS) - 35.87 GiB total, 28.85 GiB free.
E: is Removable (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - MemoryStick or MemoryStickPro Device

\\.\PHYSICALDRIVE0 - IC25N060ATMR04-0 - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 5.01 GiB
\PARTITION1 (bootable) - Installable File System - 15.01 GiB - C:
\PARTITION2 - Extended w/Extended Int 13 - 35.87 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: Trend Micro AntiVirus - Virus Protection v15.10.2002 (Trend Micro, Inc.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Elizabeth\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Elizabeth\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1159491388\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1159491388\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1159491388\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1159491388\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\xloader10181.exe"="C:\\Program Files\\xloader10181.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\printer.exe"="C:\\WINDOWS\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\spoolvs.exe"="C:\\WINDOWS\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\shell.exe"="C:\\WINDOWS\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Elizabeth\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Elizabeth\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\rskqdopo.exe"="C:\\WINDOWS\\system32\\rsk"
"C:\\WINDOWS\\system32\\fyadcvos.exe"="C:\\WINDOWS\\system32\\fya"
"C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\arveclwp.exe"="C:\\WINDOWS\\system32\\arv"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Elizabeth\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VAIO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Elizabeth
LOGONSERVER=\\VAIO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp
USERDOMAIN=VAIO
USERNAME=Elizabeth
USERPROFILE=C:\Documents and Settings\Elizabeth
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Elizabeth (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AOL Uninstaller (Choose which Products to Remove) --> C:\Program Files\Common Files\AOL\uninstaller.exe
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
DVgate Plus --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\setup.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HotKey Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB311F54-39D6-4A03-8E18-053D1B2833D7}\setup.exe" -l0x9
HP Memories Disc --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Software Update --> MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
InterVideo WinDVD 5 for VAIO --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
Java 2 Runtime Environment, SE v1.4.2_01 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
LAN-Express AS IEEE 802.11 Wireless LAN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FCCB0B43-7A6D-49A4-A5B3-B10F592F4EB6}\Setup.exe" -l0x9
LiveUpdate 1.90 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Memory Stick Formatter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
MenuPro --> C:\WINDOWS\uninst.exe -f"C:\Program Files\MenuPro\DeIsL1.isu" -c"C:\Program Files\MenuPro\_ISREG32.DLL"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MyHeritage Family Tree Builder --> C:\Program Files\MyHeritage\Bin\Uninstall.exe
OpenMG Limited Patch 3.4-03-12-16-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.4-03-12-16-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 3.4.00 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{657DD6DA-B07B-40FF-9DBD-2116F7E83CF6}\Setup.exe" -l0x9 UNINSTALL
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PictureGear Studio 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88DA0A52-3372-4803-971A-ADFB961707E8}\setup.exe"
Scripture Memory System Screen Saver --> C:\WINDOWS\Scripture Memory System.scr /u
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_10B9&DEV_5457&SUBSYS_8175104D\HXFSETUP.EXE -U -IVEN_10B9&DEV_5457&SUBSYS_8175104D
SonicStage 2.0.02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}\setup.exe" -l0x9 UNINSTALL
Sony Certificate PCH --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Notebook Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{936FADC9-C609-471A-B6F2-A33E2E660D1A}\setup.exe" -l0x9
Sony USB Mouse --> Pmuninst.exe MouseSuite98
Sony Utilities DLL --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF3D45BB-2260-4008-88EA-492E7744A9DF}\setup.exe" -l0x9
Sony Video Shared Library --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Sony XBRITE Screen Saver --> "C:\Program Files\Sony\Sony XBRITE Screen Saver\unwise.exe" /A "C:\Program Files\Sony\Sony XBRITE Screen Saver\install.log" Uninstall Sony XBRITE Screen Saver
Sprint Mobile Broadband (Sierra) --> MsiExec.exe /I{6DCBB845-0FA4-4723-A40A-1F320C221C30}
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
The Weather Channel Toolbar --> C:\PROGRA~1\THEWEA~2\UNWISE.EXE C:\PROGRA~1\THEWEA~2\twcINSTALL.LOG
Trend Micro AntiVirus --> MsiExec.exe /X{71E4D679-20AB-41E9-A350-D5BF92088FFE}
USB MP3 Player WIN98 Drivers --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MP3\U-MP3\Uninst.isu"
VAIO Entertainment Platform --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}\Setup.exe" -l0x9
VAIO Help and Support --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}
VAIO Media 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\Setup.exe" -l0x9 UNINSTALL
VAIO Media Integrated Server 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A79D11B-FD82-4A5E-834F-20173515DD14}\setup.exe" -l0x9 UNINSTALL
VAIO Media Redistribution 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\Setup.exe" -l0x9 UNINSTALL
VAIO Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{545DB151-1514-4FFC-BF2F-FE8FBBD06987}\setup.exe" -l0x9
VAIO Registration --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO SLIT-C Screen Saver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01AF4645-78E6-46C4-B528-54863679CC40}\setup.exe" -l0x9
VAIO SLIT Pattern Wallpaper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{266AEE68-5718-4A31-BDD3-D356B1250C70}\setup.exe" -l0x9
VAIO Survey Standalone --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO Update 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48820099-ED7D-424B-890C-9A82EF00656C}\setup.exe" -l0x9
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Weather Services --> C:\WINDOWS\system32\control.exe C:\PROGRA~1\THEWEA~1\Framework\wxfw.cpl,4
Welcome to VAIO life --> "C:\Program Files\Sony\Welcome to VAIO life\unwise.exe" /A "C:\Program Files\Sony\Welcome to VAIO life\install.log" Uninstall Welcome to VAIO life


-- Application Event Log -------------------------------------------------------

Event Record #/Type2858 / Error
Event Submitted/Written: 11/19/2007 11:31:40 AM
Event ID/Source: 1015 / Winlogon
Event Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code 00000000. The machine
must now be restarted.

Event Record #/Type2827 / Error
Event Submitted/Written: 11/17/2007 00:33:37 PM
Event ID/Source: 1001 / Application Hang
Event Description:
Fault bucket 126637809.

Event Record #/Type2826 / Error
Event Submitted/Written: 11/17/2007 00:33:13 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2820 / Error
Event Submitted/Written: 11/17/2007 00:00:56 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 399353249.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type2819 / Error
Event Submitted/Written: 11/17/2007 00:00:50 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application desktopweather.exe, version 5.2.0.1, faulting module unknown, version 0.0.0.0, fault address 0x64616572.
Processing media-specific event for [desktopweather.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16559 / Error
Event Submitted/Written: 11/22/2007 09:59:42 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Automatic Updates service hung on starting.

Event Record #/Type16558 / Error
Event Submitted/Written: 11/22/2007 09:59:42 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.

Event Record #/Type16557 / Error
Event Submitted/Written: 11/22/2007 09:59:42 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Ati HotKey Poller service failed to start due to the following error:
%%2

Event Record #/Type16516 / Warning
Event Submitted/Written: 11/19/2007 08:32:47 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000E9B428FAD. The IP address being used is 169.254.145.66.

Event Record #/Type16493 / Error
Event Submitted/Written: 11/19/2007 08:25:25 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Ati HotKey Poller service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2007-11-22 10:13:00 ------------

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 22 November 2007 - 10:53 AM

First temporarily disable SpySweeper as it will interfere:
http://wiki.castlecops.com/Malware_Removal...toring_Programs

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\eyvoyaon.dll
C:\WINDOWS\system32\qihilllh.dll
C:\WINDOWS\system32\ypvobkmt.exe
C:\WINDOWS\system32\ifsgfjdk.dll
C:\WINDOWS\system32\arveclwp.exe
C:\WINDOWS\system32\oupurcsy.dll
C:\WINDOWS\system32\kfbhigca.dll
C:\WINDOWS\system32\fnxtycji.exe
C:\WINDOWS\system32\mbgkmuoe.dll
C:\WINDOWS\system32\sfegumxg.dll
C:\WINDOWS\system32\bvfjwrva.ini2
C:\WINDOWS\system32\avrwjfvb.dll
C:\WINDOWS\system32\hufekjbk.dll
C:\WINDOWS\system32\uwabc.ini2
C:\WINDOWS\system32\ssqoopn.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\qomkjif.dll
C:\WINDOWS\system32\khfdcdd.dll
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\system32\B1B3BBB6B6BDBEB
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\e1
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\rMa01yy

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{244F19A6-5CE1-4320-B8B7-3DAE1DC2AAEC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D063EEF-7169-4E77-94BF-0F687D0EDC9E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{71EF0655-85FF-4822-835E-A149BA17FBC8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72D1C699-7197-4C97-A9B0-854AFF3E9AB2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7635C333-FCB0-4F11-9597-D89FB4F83372}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90BDADB9-0546-4FF7-A5E2-F6B6046BEAA4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCA2C042-518E-48D4-8EBE-0EAA9095430F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0D0F171212191A151"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccded]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\printer.exe"=-
"C:\\WINDOWS\\system32\\spoolvs.exe"=-
"C:\\WINDOWS\\shell.exe"=-
"%windir%\\system32\\winav.exe"=-
"C:\\WINDOWS\\system32\\rskqdopo.exe"=-
"C:\\WINDOWS\\system32\\fyadcvos.exe"=-
"C:\\WINDOWS\\system32\\arveclwp.exe"=-
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\printer.exe"=-
"C:\\WINDOWS\\system32\\spoolvs.exe"=-
"C:\\WINDOWS\\shell.exe"=-
"%windir%\\system32\\winav.exe"=-


Also post a new Hijackthis log.

Edited by RichieUK, 22 November 2007 - 11:00 AM.

Posted Image
Posted Image

#7 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:06:53 PM

Posted 23 November 2007 - 02:32 PM

Richie, I have done all of the above...here are the results from OTMoveIt:

DllUnregisterServer procedure not found in C:\WINDOWS\system32\eyvoyaon.dll
C:\WINDOWS\system32\eyvoyaon.dll NOT unregistered.
C:\WINDOWS\system32\eyvoyaon.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qihilllh.dll
C:\WINDOWS\system32\qihilllh.dll NOT unregistered.
C:\WINDOWS\system32\qihilllh.dll moved successfully.
C:\WINDOWS\system32\ypvobkmt.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ifsgfjdk.dll
C:\WINDOWS\system32\ifsgfjdk.dll NOT unregistered.
C:\WINDOWS\system32\ifsgfjdk.dll moved successfully.
C:\WINDOWS\system32\arveclwp.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\oupurcsy.dll
C:\WINDOWS\system32\oupurcsy.dll NOT unregistered.
C:\WINDOWS\system32\oupurcsy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kfbhigca.dll
C:\WINDOWS\system32\kfbhigca.dll NOT unregistered.
C:\WINDOWS\system32\kfbhigca.dll moved successfully.
C:\WINDOWS\system32\fnxtycji.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mbgkmuoe.dll
C:\WINDOWS\system32\mbgkmuoe.dll NOT unregistered.
C:\WINDOWS\system32\mbgkmuoe.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sfegumxg.dll
C:\WINDOWS\system32\sfegumxg.dll NOT unregistered.
C:\WINDOWS\system32\sfegumxg.dll moved successfully.
C:\WINDOWS\system32\bvfjwrva.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\avrwjfvb.dll
C:\WINDOWS\system32\avrwjfvb.dll NOT unregistered.
C:\WINDOWS\system32\avrwjfvb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hufekjbk.dll
C:\WINDOWS\system32\hufekjbk.dll NOT unregistered.
C:\WINDOWS\system32\hufekjbk.dll moved successfully.
C:\WINDOWS\system32\uwabc.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqoopn.dll
C:\WINDOWS\system32\ssqoopn.dll NOT unregistered.
C:\WINDOWS\system32\ssqoopn.dll moved successfully.
C:\WINDOWS\17PHolmes572.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\qomkjif.dll
C:\WINDOWS\system32\qomkjif.dll NOT unregistered.
C:\WINDOWS\system32\qomkjif.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\khfdcdd.dll
C:\WINDOWS\system32\khfdcdd.dll NOT unregistered.
C:\WINDOWS\system32\khfdcdd.dll moved successfully.
C:\WINDOWS\mrofinu1000106.exe moved successfully.
Folder move failed. C:\WINDOWS\system32\B1B3BBB6B6BDBEB\8C8E96919198999 scheduled to be moved on reboot.
C:\WINDOWS\system32\B1B3BBB6B6BDBEB moved successfully.
C:\WINDOWS\system32\n8 moved successfully.
C:\WINDOWS\system32\i2 moved successfully.
C:\WINDOWS\system32\g2 moved successfully.
C:\WINDOWS\system32\e1 moved successfully.
C:\WINDOWS\system32\a1 moved successfully.
C:\WINDOWS\system32\rMa01yy moved successfully.

Created on 11/23/2007 14:12:35


Here is my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:06 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DCF7E1B-E1BE-426C-A5B2-7518498E7202} - (no file)
O2 - BHO: (no name) - {244F19A6-5CE1-4320-B8B7-3DAE1DC2AAEC} - (no file)
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D063EEF-7169-4E77-94BF-0F687D0EDC9E} - (no file)
O2 - BHO: (no name) - {71EF0655-85FF-4822-835E-A149BA17FBC8} - (no file)
O2 - BHO: (no name) - {72D1C699-7197-4C97-A9B0-854AFF3E9AB2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7635C333-FCB0-4F11-9597-D89FB4F83372} - (no file)
O2 - BHO: (no name) - {90BDADB9-0546-4FF7-A5E2-F6B6046BEAA4} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {DCA2C042-518E-48D4-8EBE-0EAA9095430F} - (no file)
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSurvey] "c:\program files\sony\vaio survey\surveysa.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 11400 bytes


I think I may be enjoying this process a little too much...the war against malware lol...Everday I ask myself..."I wonder what Richie will want me to do today?" hahahaha I can't wait for my computer to be clean...then I can say I did it myself, with the help of my friends at bleepingcomputer, of course! ;)

Edited by JWUequine08, 23 November 2007 - 02:37 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 23 November 2007 - 05:48 PM

Disable SpySweeper again,and leave it disabled while we've done:
http://wiki.castlecops.com/Malware_Removal...toring_Programs

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {0DCF7E1B-E1BE-426C-A5B2-7518498E7202} - (no file)
O2 - BHO: (no name) - {244F19A6-5CE1-4320-B8B7-3DAE1DC2AAEC} - (no file)
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - (no file)
O2 - BHO: (no name) - {6D063EEF-7169-4E77-94BF-0F687D0EDC9E} - (no file)
O2 - BHO: (no name) - {71EF0655-85FF-4822-835E-A149BA17FBC8} - (no file)
O2 - BHO: (no name) - {72D1C699-7197-4C97-A9B0-854AFF3E9AB2} - (no file)
O2 - BHO: (no name) - {7635C333-FCB0-4F11-9597-D89FB4F83372} - (no file)
O2 - BHO: (no name) - {90BDADB9-0546-4FF7-A5E2-F6B6046BEAA4} - (no file)
O2 - BHO: (no name) - {DCA2C042-518E-48D4-8EBE-0EAA9095430F} - (no file)
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)

Exit Hijackthis.

We can now run Combofix.
Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#9 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:06:53 PM

Posted 23 November 2007 - 07:11 PM

Here is the log from ComboFix:

ComboFix 07-11-19.3 - Elizabeth 2007-11-23 18:55:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.201 [GMT -5:00]
Running from: C:\Documents and Settings\Elizabeth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Elizabeth\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Elizabeth\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Elizabeth\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\azip32.dll
C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-22 10:10 <DIR> d-------- C:\Deckard
2007-11-19 14:34 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-19 14:33 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-19 09:29 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-18 14:37 414 ---hs---- C:\WINDOWS\system32\noayovye.ini
2007-11-18 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-11-18 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-11-18 13:39 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-11-18 13:38 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-11-18 13:38 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-11-18 13:37 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-11-18 13:35 <DIR> d-------- C:\Program Files\Sygate
2007-11-17 13:04 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-17 13:03 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-17 13:03 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-17 13:03 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-17 13:03 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-17 13:02 <DIR> d-------- C:\Program Files\Webroot
2007-11-17 13:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-17 13:02 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-17 13:02 164 --a------ C:\install.dat
2007-11-17 12:37 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\Webroot
2007-11-17 11:46 <DIR> d-------- C:\Documents and Settings\Elizabeth\.housecall6.6
2007-11-17 11:34 294 ---hs---- C:\WINDOWS\system32\yscrupuo.ini
2007-11-16 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-16 23:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Corporation
2007-11-16 22:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-16 22:56 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\SUPERAntiSpyware.com
2007-11-16 22:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-16 22:51 354 ---hs---- C:\WINDOWS\system32\gxmugefs.ini
2007-11-16 19:47 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-16 16:28 354 ---hs---- C:\WINDOWS\system32\bvfjwrva.ini
2007-11-16 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 13:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-16 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-16 13:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-16 09:13 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-16 09:11 <DIR> d-------- C:\Program Files\CCleaner
2007-11-15 19:19 <DIR> d-------- C:\Temp\abW9
2007-11-15 19:19 <DIR> d-------- C:\Temp
2007-11-15 19:19 38,912 --a------ C:\WINDOWS\system32\EFCCDED.DLL.vir
2007-11-15 15:27 <DIR> d-------- C:\Documents and Settings\Elizabeth\Application Data\Thinstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-19 19:34 --------- d-----w C:\Program Files\Java
2007-11-19 19:30 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-11-19 19:27 --------- d-----w C:\Program Files\Trend Micro
2007-11-18 16:10 --------- d-----w C:\Program Files\Ares
2007-11-13 07:43 --------- d-----w C:\Program Files\MenuPro
2007-11-05 17:05 --------- d-----w C:\Program Files\AIM Gadgets
2007-10-30 08:35 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-30 00:22 --------- d-----w C:\Program Files\Sony Handheld
2007-10-30 00:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 14:15 --------- d-----w C:\Program Files\The Weather Channel Toolbar
2007-10-19 14:14 --------- d-----w C:\Program Files\The Weather Channel FW
2007-10-16 22:06 --------- d-----w C:\Program Files\Sierra Wireless
2007-10-16 22:04 --------- d-----w C:\Program Files\Sprint
2007-10-06 21:38 12,358 -c--a-w C:\WINDOWS\system32\drivers\tmfilter.cat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 06:51]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 20:21]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-27 23:10]
"Mouse Suite 98 Daemon"="ICO.EXE" []
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2003-12-12 01:03]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2004-02-13 01:01]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 05:36]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2003-11-03 13:55]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"HostManager"="C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe" [2006-05-09 19:24]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 11:59]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 08:03]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-08 11:45]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 10:40]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 07:55]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 00:56]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-07-05 19:09]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 23:59:46 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2007-11-24 00:00:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 19:00:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 19:03:58 - machine was rebooted
.
--- E O F ---


Here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:23 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hphmon05.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIOSurvey] "c:\program files\sony\vaio survey\surveysa.exe"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1159491388\ee\AOLSoftware.exe"
O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 15
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdash...tg.1.0.0.33.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10503 bytes




I am happy to report that after ComboFix finished, the fake "Online Security" icons were removed from both my desktop and start menu...yaaaay!

Edited by JWUequine08, 23 November 2007 - 07:12 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 24 November 2007 - 02:46 AM

Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\noayovye.ini
C:\WINDOWS\system32\yscrupuo.ini
C:\WINDOWS\system32\gxmugefs.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\bvfjwrva.ini
C:\Temp\abW9
C:\WINDOWS\system32\EFCCDED.DLL.vir

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Your log is clean :thumbsup:
If all's ok,please do the following:

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm

Edited by RichieUK, 24 November 2007 - 02:49 AM.

Posted Image
Posted Image

#11 JWUequine08

JWUequine08
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Rhode Island
  • Local time:06:53 PM

Posted 24 November 2007 - 11:24 AM

Here are the results from OTMoveIt:

C:\WINDOWS\system32\noayovye.ini moved successfully.
C:\WINDOWS\system32\yscrupuo.ini moved successfully.
C:\WINDOWS\system32\gxmugefs.ini moved successfully.
C:\WINDOWS\system32\mcrh.tmp moved successfully.
C:\WINDOWS\system32\bvfjwrva.ini moved successfully.
C:\Temp\abW9 moved successfully.
C:\WINDOWS\system32\EFCCDED.DLL.vir moved successfully.

Created on 11/24/2007 11:21:27

Okay, I finished everything up until Disk Cleanup...it does not have a "more options" tab on the first window that shows up when I start it, so I figured maybe I should just select my drive, and choose cleanup and then I might have more options...but instead of cleaning up, the program just went away...? I think this happened before also, maybe it is a result of the nasty malware/virus? I have CCleaner downloaded on my laptop, would you recommend using that?

In regards to exactly what the disk cleanup was supposed to do, (clean up previous restore points so I do not restore to an infected state?) when I was aware that I had an infection, I disabled the active monitoring on both drives for system restore, at which point it told me that all previous restore points would be deleted, which was FINNNNE with me! lol

Edited by JWUequine08, 24 November 2007 - 11:48 AM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 24 November 2007 - 02:30 PM

In regards to exactly what the disk cleanup was supposed to do, (clean up previous restore points so I do not restore to an infected state?) when I was aware that I had an infection, I disabled the active monitoring on both drives for system restore, at which point it told me that all previous restore points would be deleted, which was FINNNNE with me! lol

Great,make sure you turn it back on now then.
:thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users