Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Trojans, & Rootkits


  • Please log in to reply
13 replies to this topic

#1 ekxero

ekxero

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 13 April 2008 - 11:14 PM

Hello, a few days ago I found out my computer got infected with a Trojan. I ran a Spy Sweeper scan, Windows Defender Scan, and an Ad-Aware scan but using that resulted in a Blue Screen Crash. I may have manually removed some malware myself, (I was extremely careful) but I need help to properly remove all the remaining infected files from the registry and system. Can you tell me what to do from here?

Here's my Hijack This Log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:02 AM, on 4/14/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\EKXERO\Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {EF33BD6C-796F-43A7-B3B4-EE68CA4E01A2} - C:\Windows\system32\nnnlkKcc.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM04\aim.exe
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - C:\Windows\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - C:\Windows\
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - C:\Windows\
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10199 bytes

Thank you very kindly for your help!
If ignorance is bliss, then knock the smile off my face.

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 14 April 2008 - 07:12 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 ekxero

ekxero
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 14 April 2008 - 01:06 PM

Thanks for the quick reply Charles! I did as you said.

ComboFix 08-04-13.3 - EKXERO 2008-04-14 13:30:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.167 [GMT -4:00]
Running from: C:\Users\EKXERO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\conf.inf
C:\Windows\default.htm
C:\Windows\Installer\id53.exe
C:\Windows\ky.sxc
C:\Windows\mscon.sio
C:\Windows\System32\ccKklnnn.ini
C:\Windows\System32\ccKklnnn.ini2
C:\Windows\system32\nnnlkKcc.dll
C:\Windows\system32\winfrun32.bin
C:\Windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PortProxy


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 13:52 . 2008-04-14 13:52 <DIR> d-------- C:\Users\EKXERO\WPDNSE
2008-04-14 13:52 . 2008-04-14 13:52 <DIR> d--hs---- C:\Users\EKXERO\59082f71b9b646d7a879a062ae98b792
2008-04-14 13:44 . 2008-04-14 13:44 60,416 --a------ C:\Perflib_Perfdata__755
2008-04-14 13:44 . 2008-04-14 13:44 0 --a------ C:\Perflib_Perfdata__754
2008-04-13 19:45 . 2008-04-13 19:45 294 ---hs---- C:\Windows\System32\vwuirrrf.ini
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\System32\{99F86071-B91B-4F2E-AD19-23948930A2AF}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\System32\{216E7746-1938-486F-885B-C1286C6CFC86}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\{30980A65-E098-4257-9B5B-4907277DA6C1}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\{02AB36D7-01EE-4F07-8AF0-5240402CB36C}.dat
2008-04-13 03:15 . 2008-04-13 03:15 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-13 00:38 . 2008-04-13 17:42 <DIR> d-------- C:\Users\All Users\Symantec(74)
2008-04-13 00:38 . 2008-04-13 17:42 <DIR> d-------- C:\ProgramData\Symantec(74)
2008-04-13 00:18 . 2008-04-13 00:18 0 --a------ C:\Users\EKXERO\AppData\Roaming\wklnhst.dat
2008-04-11 17:26 . 2008-04-13 18:02 <DIR> d-------- C:\Windows\Temp(607)
2008-04-11 16:46 . 2008-04-11 16:47 <DIR> d-------- C:\Program Files\Share Cracker
2008-04-11 15:01 . 2008-04-11 15:01 <DIR> d-------- C:\Windows\ServiceProfiles\LocalService\TfsStore
2008-04-11 13:59 . 2008-04-13 20:03 <DIR> d-------- C:\Program Files\Ace Utilities
2008-04-11 13:11 . 2008-04-11 13:14 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-11 13:11 . 2008-04-11 13:14 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-11 13:11 . 2008-04-11 13:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-11 05:18 . 2008-04-11 15:48 <DIR> d-------- C:\Program Files\!KillBox
2008-04-11 03:53 . 2008-04-13 20:36 <DIR> d-------- C:\Users\All Users\SecTaskMan
2008-04-11 03:53 . 2008-04-13 20:36 <DIR> d-------- C:\ProgramData\SecTaskMan
2008-04-11 03:52 . 2008-04-13 19:47 <DIR> d-------- C:\Program Files\Security Task Manager
2008-04-11 02:28 . 2008-04-11 02:28 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Uniblue
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Roxio
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\Users\All Users\Roxio
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\ProgramData\Roxio
2008-04-10 15:51 . 2008-04-10 15:51 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-04-10 15:40 . 2008-04-10 15:40 682,232 --a------ C:\Windows\System32\drivers\sptd.sys
2008-04-09 14:13 . 2008-04-09 14:13 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 14:13 . 2008-04-09 14:13 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 14:13 . 2008-04-09 14:13 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 14:13 . 2008-04-09 14:13 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 14:13 . 2008-04-09 14:13 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 14:13 . 2008-04-09 14:13 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 14:13 . 2008-04-09 14:13 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 14:13 . 2008-04-09 14:13 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 14:13 . 2008-04-09 14:13 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 14:11 . 2008-04-09 14:11 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 14:10 . 2008-04-09 14:10 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 14:06 . 2008-04-09 14:06 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 14:06 . 2008-04-09 14:06 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-09 14:01 . 2008-04-09 14:01 826,368 --a------ C:\Windows\System32\wininet.dll
2008-04-09 14:00 . 2008-04-09 14:00 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-04-09 14:00 . 2008-04-09 14:00 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-09 14:00 . 2008-04-09 14:00 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-04-09 14:00 . 2008-04-09 14:00 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-04-09 13:58 . 2008-04-09 13:58 99,840 --a------ C:\Windows\System32\poqexec.exe
2008-04-09 01:54 . 2008-04-13 20:05 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\uTorrent
2008-04-09 01:54 . 2008-04-09 01:54 <DIR> d-------- C:\Program Files\uTorrent
2008-04-08 17:42 . 2008-04-08 17:42 <DIR> d-------- C:\Program Files\AIM04
2008-04-08 17:39 . 2008-04-11 14:05 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Aim
2008-04-08 01:39 . 2008-04-13 19:34 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Winamp
2008-04-08 01:39 . 2008-04-08 01:41 <DIR> d-------- C:\Program Files\Winamp
2008-04-06 01:25 . 2008-04-06 01:25 <DIR> d-------- C:\Program Files\DivX2.5.3
2008-04-06 01:04 . 2008-04-06 01:04 <DIR> d-------- C:\Users\All Users\ashampoo
2008-04-06 01:04 . 2008-04-06 01:04 <DIR> d-------- C:\ProgramData\ashampoo
2008-04-06 01:03 . 2008-04-13 19:34 <DIR> d-------- C:\Program Files\Ashampoo
2008-04-05 03:16 . 2008-04-05 03:16 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-04-05 03:16 . 2008-04-05 03:16 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-04-05 03:13 . 2008-04-05 03:13 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-04-05 03:13 . 2008-04-05 03:13 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-04-05 03:13 . 2008-04-05 03:13 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-04-05 03:13 . 2008-04-05 03:13 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-04-05 03:13 . 2008-04-05 03:13 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-04-05 03:12 . 2008-04-05 03:12 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-04-05 03:12 . 2008-04-05 03:12 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-04-05 03:12 . 2008-04-05 03:12 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-04-05 03:12 . 2008-04-05 03:12 2,048 --a------ C:\Windows\System32\asferror.dll
2008-04-05 03:11 . 2008-04-05 03:11 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-04-05 03:10 . 2008-04-05 03:10 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-04-05 03:10 . 2008-04-05 03:10 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-04-05 03:10 . 2008-04-05 03:10 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-04-05 03:10 . 2008-04-05 03:10 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-04-05 03:09 . 2008-04-05 03:09 3,504,824 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-04-05 03:09 . 2008-04-05 03:09 3,470,520 --a------ C:\Windows\System32\ntoskrnl.exe
2008-04-05 03:08 . 2008-04-05 03:08 2,048 --a------ C:\Windows\System32\tzres.dll
2008-04-04 03:34 . 2008-04-04 03:34 <DIR> d-------- C:\Poker Application
2008-04-04 02:03 . 2008-04-04 02:03 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Talkback
2008-04-04 02:02 . 2008-04-04 02:02 0 --a------ C:\Windows\nsreg.dat
2008-04-04 01:56 . 2008-04-04 01:56 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-04-04 01:56 . 2008-04-04 01:56 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-04-04 01:56 . 2008-04-04 01:56 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-04-04 01:56 . 2008-04-04 01:56 43,352 --a------ C:\Windows\System32\wups2.dll
2008-04-04 01:55 . 2008-04-04 01:55 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-04-04 01:55 . 2008-04-04 01:55 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-04-04 01:55 . 2008-04-04 01:55 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-04-04 01:55 . 2008-04-04 01:55 33,624 --a------ C:\Windows\System32\wups.dll
2008-04-04 01:55 . 2008-04-04 01:55 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-04-03 12:18 . 2008-04-03 12:18 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Webroot
2008-04-03 12:16 . 2008-04-03 12:16 <DIR> dr------- C:\Users\EKXERO\Searches
2008-04-03 12:16 . 2008-04-03 12:16 <DIR> dr------- C:\Users\EKXERO\Contacts
2008-04-03 12:13 . 2008-04-03 12:16 <DIR> dr------- C:\Users\EKXERO\Videos
2008-04-03 12:13 . 2008-04-03 12:52 <DIR> dr------- C:\Users\EKXERO\Saved Games
2008-04-03 12:13 . 2008-04-09 19:20 <DIR> dr------- C:\Users\EKXERO\Pictures
2008-04-03 12:13 . 2008-04-03 12:16 <DIR> dr------- C:\Users\EKXERO\Music
2008-04-03 12:13 . 2008-04-03 12:16 <DIR> dr------- C:\Users\EKXERO\Links
2008-04-03 12:13 . 2008-04-14 00:09 <DIR> dr------- C:\Users\EKXERO\Downloads
2008-04-03 12:13 . 2008-04-14 00:09 <DIR> dr------- C:\Users\EKXERO\Documents

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 23:34 --------- d-----w C:\ProgramData\FLEXnet
2008-04-13 23:34 --------- d-----w C:\Program Files\Windows Mail
2008-04-13 23:34 --------- d-----w C:\Program Files\Crackle
2008-04-13 07:16 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-11 19:48 --------- d-----w C:\Program Files\!KillBox
2008-04-10 20:27 --------- d-----w C:\ProgramData\Sonic
2008-04-06 04:50 --------- d-----w C:\ProgramData\Sony Corporation
2008-04-05 07:25 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-05 07:14 54,784 ----a-w C:\Windows\system32\drivers\i8042prt.sys
2008-04-05 07:14 495,160 ----a-w C:\Windows\system32\drivers\Wdf01000.sys
2008-04-05 07:14 35,384 ----a-w C:\Windows\system32\drivers\WdfLdr.sys
2008-04-05 07:14 35,384 ----a-w C:\Windows\system32\drivers\kbdclass.sys
2008-04-05 07:14 34,360 ----a-w C:\Windows\system32\drivers\mouclass.sys
2008-04-05 07:14 19,968 ----a-w C:\Windows\system32\drivers\sermouse.sys
2008-04-05 07:14 15,872 ----a-w C:\Windows\system32\drivers\mouhid.sys
2008-04-05 07:14 15,872 ----a-w C:\Windows\system32\drivers\kbdhid.sys
2008-04-03 16:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 17:48 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@={AB0C8BE3-041C-47d6-8195-E089D32B38DD}

[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-10-05 13:54 303104 --a------ C:\DDI\overicon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-30 23:56 1006264]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-19 08:20 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-19 08:19 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-19 08:20 137752]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-06-08 08:35 118784]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2007-09-19 14:09 311296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-31 14:20 77824]
"RtHDVCpl"="RtHDVCpl.exe" []
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-27 20:29 5086008]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 12:38:44 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2007-08-14 23:05 98304 C:\Windows\System32\VESWinlogon.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\c:^users^ekxero^appdata^roaming^microsoft^windows^start menu^programs^startup^bat - auto update.lnk]
path=C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\Windows\pss\Bat - Auto Update.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^EKXERO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2006-10-23 03:24 620152 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 06:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msserver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-07-27 20:29 5086008 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Center Access Bar]
--a------ 2007-09-06 18:38 53248 c:\program files\sony\VAIO Center Access Bar\VCAB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
--a------ 2007-08-27 20:54 290816 C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIORegistration]
--a------ 2007-10-17 17:40 20480 C:\Program Files\Sony\First Experience\WelcomeLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a------ 2007-07-20 19:30 577536 C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
--a------ 2007-10-12 19:29 45056 C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5DAC28EA-6BCA-42E2-AA58-F96CFE909535}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9EB920A5-F7DA-46F5-AC0E-CC606009CFF6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{490366D1-167D-47C6-8335-248E282CFD66}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{8EC206C4-3177-4F7B-AFE9-52A3E6711048}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{3061F112-3633-481F-827E-D7AE11DD7703}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{71167967-2192-487A-8A1B-873446090E23}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{FD01A9F2-EB2E-4884-A25C-CFAAC314DDCA}"= Disabled:UDP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{DA833C6E-D78D-4FC0-9E60-975FF6B64759}"= Disabled:TCP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 NSUService;NSUService;"C:\Program Files\Sony\Network Utility\NSUService.exe" [2007-09-20 13:23]
R2 regi;regi;C:\Windows\system32\drivers\regi.sys [2007-04-18 00:09]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-09-19 08:24]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-10-28 08:28]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-19 08:19]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys [2007-08-28 21:58]
R3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-06-05 08:17]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-19 08:24]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 20:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-09 04:51]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2007-09-29 00:11]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2007-09-20 21:52]
S4 MSSysInterv1;MSSysInterv;C:\Windows\gkpaxt.exe service []

*Newly Created Service* - IPNAT
.
**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [532]
C:\Windows\system32\csrss.exe [608]
C:\Windows\System32\wininit.exe [652]
C:\Windows\system32\csrss.exe [664]
C:\Windows\system32\services.exe [696]
C:\Windows\system32\lsass.exe [708]
C:\Windows\system32\lsm.exe [716]
C:\Windows\System32\winlogon.exe [792]
C:\Windows\system32\svchost.exe [908]
C:\Windows\system32\svchost.exe [964]
C:\Windows\System32\svchost.exe [1020]
C:\Windows\System32\svchost.exe [1104]
C:\Windows\System32\svchost.exe [1136]
C:\Windows\system32\svchost.exe [1164]
C:\Windows\system32\SLsvc.exe [1308]
C:\Windows\system32\svchost.exe [1372]
C:\Windows\system32\svchost.exe [1520]
C:\Windows\System32\spoolsv.exe [1704]
C:\Windows\system32\svchost.exe [1732]
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [1980]
C:\Program Files\Sony\Network Utility\NSUService.exe [2008]
C:\Windows\system32\svchost.exe [564]
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [668]
C:\Windows\system32\svchost.exe [1444]
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [1840]
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [2056]
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe [2092]
C:\Windows\System32\svchost.exe [2264]
C:\Windows\system32\SearchIndexer.exe [2304]
C:\Windows\system32\DRIVERS\xaudio.exe [2336]
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe [2372]
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [2432]
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [2544]
C:\Windows\system32\WUDFHost.exe [2644]
C:\Windows\system32\igfxext.exe [2756]
C:\Windows\system32\igfxsrvc.exe [2792]
C:\Windows\System32\taskeng.exe [2952]
C:\Windows\System32\alg.exe [3016]
C:\Windows\system32\Dwm.exe [3264]
C:\Windows\System32\taskeng.exe [3292]
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe [4032]
C:\Windows\System32\CF22592.exe [2672]
C:\Program Files\Windows Defender\MSASCui.exe [3280]
C:\Windows\System32\hkcmd.exe [3560]
C:\Windows\System32\igfxpers.exe [3588]
C:\Program Files\Apoint\Apoint.exe [3628]
C:\Program Files\Sony\ISB Utility\ISBMgr.exe [3636]
C:\Program Files\Java\jre1.6.0\bin\jusched.exe [3644]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [3664]
C:\Windows\system32\igfxsrvc.exe [3728]
C:\Program Files\Apoint\ApMsgFwd.exe [3748]
C:\Program Files\Apoint\Apntex.exe [2680]
C:\?\C:\Windows\system32\wbem\WMIADAP.EXE [3516]
C:\Windows\system32\wbem\wmiprvse.exe [3820]
C:\Windows\system32\wbem\wmiprvse.exe [3896]
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE [1248]
C:\Windows\Explorer.exe [3688]
C:\Windows\system32\SearchProtocolHost.exe [3360]
C:\Windows\system32\DllHost.exe [2136]
C:\Windows\system32\SearchFilterHost.exe [1404]
C:\ComboFix\catchme.cfexe [844]
.
**************************************************************************
.
Completion time: 2008-04-14 13:55:03 - machine was rebooted [EKXERO]
ComboFix-quarantined-files.txt 2008-04-14 17:54:02

Pre-Run: 126,430,461,952 bytes free
Post-Run: 126,078,980,096 bytes free
.
2008-04-09 18:15:48 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:20 PM, on 4/14/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\System32\CF22592.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\Explorer.exe
C:\Windows\System32\notepad.exe
C:\ComboFix\handle.cfexe
C:\ComboFix\sed.cfexe
C:\Windows\System32\mobsync.exe
C:\Users\EKXERO\Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM04\aim.exe
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - C:\Windows\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - C:\Windows\
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - C:\Windows\
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9716 bytes
If ignorance is bliss, then knock the smile off my face.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 15 April 2008 - 03:18 PM

One more log for me, please:

Download AVG Anti-Spyware to your Desktop.
Start the set-up program by double clicking the installer.
Follow the on screen instructions to install the program, making sure that "Launch AVG Anti-Spyware" is checked.
Click the Update tab then select Start update; a progress bar will show the updates being installed.
Now press the Scanner icon, and click the Settings tab.
Click Recommended actions, then set it to Quarantine.
Close the programme now, we will scan with it later on.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.
Press the Scanner icon.
Then click on the Complete System Scan button.
If any infections are found, you will be asked for an action; select Apply all actions.
Now press the Reports icon at the top.
Choose Save report as and save the text file to your Desktop.


Please post this log in your next reply with a new Combofix log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 ekxero

ekxero
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 15 April 2008 - 09:33 PM

Hello and thanks again Charles. I'm having a problem installing AVG on my computer. During the setup, the AVG Installer recommends that I download and install Windows Vista Patch Update KB929547. I verified my genuine copy of Windows, then I downloaded the patch. But during the installation of the update it fails to install and it does not give me a reason why. The AVG Installer says if I continue the installation without this patch I will experience significant system slowdown and serious problems with internet accessibility. I tried again to install the Vista update and it fails install. Right now I am contacting Microsoft Support and they are trying to help me properly install this update.

Edited by ekxero, 16 April 2008 - 01:47 PM.

If ignorance is bliss, then knock the smile off my face.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 16 April 2008 - 04:24 PM

No worries, we'll run another scanner instead.
Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 ekxero

ekxero
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 17 April 2008 - 06:02 AM

Ok, I did as you said. Looks like there is still plenty remnants of malware left on my pc.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-04-17 06:48:00
PROTECTIONS: 1
MALWARE: 23
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.3408.0 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00048239 adware/adlogix Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5FA6752A-C4A0-4222-88C2-928AE5AB4966}
00096188 spyware/searchcentrix Spyware No 1 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}
00106761 adware/123mania Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C5B2F29-1F46-4639-A6B4-828942301D3E}
00106761 adware/123mania Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15651C7C-E812-44A2-A9AC-B467A2233E7D}
00106761 adware/123mania Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{622CC208-B014-4FE0-801B-874A5E5E403A}
00135099 adware/powerstrip Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{965A592F-8EFA-4250-8630-7960230792F1}
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Users\EKXERO\Downloads\Safety\Caution\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\Users\EKXERO\Documents\SmitfraudFix\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Users\EKXERO\Downloads\Safety\Caution\SDFix.exe[SDFix\apps\Process.exe]
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.tradedoubler.com/]
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.tradedoubler.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.tribalfusion.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.burstnet.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.advertising.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.realmedia.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\EKXERO\AppData\Roaming\Mozilla\Firefox\Profiles\xx57qdgs.default\cookies.txt[.adrevolver.com/]
00217430 adware/surfassistant Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
00517584 Application/SuperFast HackTools No 0 Yes No C:\Users\EKXERO\Documents\SmitfraudFix\SmitfraudFix\restart.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\Users\EKXERO\Downloads\Safety\Caution\SmitfraudFix.zip[SmitfraudFix/restart.exe]
01176994 Bck/VB.XB Virus/Trojan No 0 Yes No C:\ComboFix\nircmd.cfexe
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Users\EKXERO\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Users\EKXERO\Downloads\Safety\Caution\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Users\EKXERO\Documents\SmitfraudFix\SmitfraudFix\Reboot.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\Perflib_Perfdata__755
02913315 Adware/Rabio Adware No 0 Yes No C:\Users\EKXERO\AppData\Local\Temp\SETUP_43528\Info.dll
;===================================================================================================================================================================================
SUSPECTS
Sent Location c=h�x
3
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description c=h�x
3
;===================================================================================================================================================================================
184379 MEDIUM MS08-001 c=h�x
3
182048 HIGH MS07-069 c=h�x
3
;===================================================================================================================================================================================


and a new combofix log...


ComboFix 08-04-13.3 - EKXERO 2008-04-17 6:49:30.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.284 [GMT -4:00]
Running from: C:\Users\EKXERO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 06:50 . 2008-04-17 06:50 <DIR> d-------- C:\Users\EKXERO\WPDNSE
2008-04-16 23:36 . 2008-04-16 23:36 <DIR> d-------- C:\Program Files\Panda Security
2008-04-16 23:36 . 2008-04-16 23:36 1,745 --a------ C:\Windows\mozver.dat
2008-04-16 23:34 . 2008-04-16 23:35 <DIR> d-------- C:\Users\EKXERO\plugtmp
2008-04-16 01:12 . 2007-02-01 12:02 136,376 --a------ C:\Users\EKXERO\GLF9E17GLF9E17.EXE
2008-04-16 01:11 . 2007-02-01 12:02 136,376 --a------ C:\Users\EKXERO\GLF986GLF986.EXE
2008-04-16 01:06 . 2001-09-28 17:00 243,200 --a------ C:\Users\EKXERO\GLB1A2B.EXE
2008-04-16 01:06 . 2007-02-01 12:02 136,376 --a------ C:\Users\EKXERO\GLFA77AGLFA77A.EXE
2008-04-15 22:55 . 2008-04-15 22:55 <DIR> d-------- C:\Users\EKXERO\SxsTemp
2008-04-15 22:55 . 2008-04-15 22:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-15 22:55 . 2008-04-15 22:56 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-15 22:54 . 2008-04-15 22:54 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-04-15 22:54 . 2008-04-15 22:54 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-04-15 22:37 . 2008-04-15 22:37 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
2008-04-14 13:44 . 2008-04-14 13:44 60,416 --a------ C:\Perflib_Perfdata__755
2008-04-14 13:44 . 2008-04-14 13:44 0 --a------ C:\Perflib_Perfdata__754
2008-04-13 19:45 . 2008-04-13 19:45 294 ---hs---- C:\Windows\System32\vwuirrrf.ini
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\System32\{99F86071-B91B-4F2E-AD19-23948930A2AF}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\System32\{216E7746-1938-486F-885B-C1286C6CFC86}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\{30980A65-E098-4257-9B5B-4907277DA6C1}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\{02AB36D7-01EE-4F07-8AF0-5240402CB36C}.dat
2008-04-13 03:15 . 2008-04-15 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-13 00:38 . 2008-04-13 17:42 <DIR> d-------- C:\Users\All Users\Symantec(74)
2008-04-13 00:38 . 2008-04-13 17:42 <DIR> d-------- C:\ProgramData\Symantec(74)
2008-04-13 00:18 . 2008-04-13 00:18 0 --a------ C:\Users\EKXERO\AppData\Roaming\wklnhst.dat
2008-04-11 17:26 . 2008-04-13 18:02 <DIR> d-------- C:\Windows\Temp(607)
2008-04-11 16:46 . 2008-04-11 16:47 <DIR> d-------- C:\Program Files\Share Cracker
2008-04-11 15:01 . 2008-04-11 15:01 <DIR> d-------- C:\Windows\ServiceProfiles\LocalService\TfsStore
2008-04-11 13:59 . 2008-04-13 20:03 <DIR> d-------- C:\Program Files\Ace Utilities
2008-04-11 13:11 . 2008-04-11 13:14 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-11 13:11 . 2008-04-11 13:14 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-11 13:11 . 2008-04-11 13:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-11 05:18 . 2008-04-11 15:48 <DIR> d-------- C:\Program Files\!KillBox
2008-04-11 03:53 . 2008-04-13 20:36 <DIR> d-------- C:\Users\All Users\SecTaskMan
2008-04-11 03:53 . 2008-04-13 20:36 <DIR> d-------- C:\ProgramData\SecTaskMan
2008-04-11 03:52 . 2008-04-13 19:47 <DIR> d-------- C:\Program Files\Security Task Manager
2008-04-11 02:28 . 2008-04-11 02:28 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Uniblue
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Roxio
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\Users\All Users\Roxio
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\ProgramData\Roxio
2008-04-10 15:51 . 2008-04-10 15:51 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-04-10 15:40 . 2008-04-10 15:40 682,232 --a------ C:\Windows\System32\drivers\sptd.sys
2008-04-09 14:13 . 2008-04-09 14:13 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 14:13 . 2008-04-09 14:13 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 14:13 . 2008-04-09 14:13 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 14:13 . 2008-04-09 14:13 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 14:13 . 2008-04-09 14:13 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 14:13 . 2008-04-09 14:13 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 14:13 . 2008-04-09 14:13 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 14:13 . 2008-04-09 14:13 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 14:13 . 2008-04-09 14:13 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 14:11 . 2008-04-09 14:11 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 14:10 . 2008-04-09 14:10 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 14:06 . 2008-04-09 14:06 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 14:06 . 2008-04-09 14:06 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-09 14:01 . 2008-04-09 14:01 826,368 --a------ C:\Windows\System32\wininet.dll
2008-04-09 14:00 . 2008-04-09 14:00 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-04-09 14:00 . 2008-04-09 14:00 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-09 14:00 . 2008-04-09 14:00 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-04-09 14:00 . 2008-04-09 14:00 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-04-09 01:54 . 2008-04-13 20:05 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\uTorrent
2008-04-09 01:54 . 2008-04-09 01:54 <DIR> d-------- C:\Program Files\uTorrent
2008-04-08 17:42 . 2008-04-08 17:42 <DIR> d-------- C:\Program Files\AIM04
2008-04-08 17:39 . 2008-04-15 21:51 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Aim
2008-04-08 01:39 . 2008-04-13 19:34 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Winamp
2008-04-08 01:39 . 2008-04-08 01:41 <DIR> d-------- C:\Program Files\Winamp
2008-04-06 01:25 . 2008-04-06 01:25 <DIR> d-------- C:\Program Files\DivX2.5.3
2008-04-06 01:04 . 2008-04-06 01:04 <DIR> d-------- C:\Users\All Users\ashampoo
2008-04-06 01:04 . 2008-04-06 01:04 <DIR> d-------- C:\ProgramData\ashampoo
2008-04-06 01:03 . 2008-04-13 19:34 <DIR> d-------- C:\Program Files\Ashampoo
2008-04-05 03:16 . 2008-04-05 03:16 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-04-05 03:16 . 2008-04-05 03:16 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-04-05 03:13 . 2008-04-05 03:13 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-04-05 03:13 . 2008-04-05 03:13 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-04-05 03:13 . 2008-04-05 03:13 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-04-05 03:13 . 2008-04-05 03:13 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-04-05 03:13 . 2008-04-05 03:13 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-04-05 03:12 . 2008-04-05 03:12 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-04-05 03:12 . 2008-04-05 03:12 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-04-05 03:12 . 2008-04-05 03:12 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-04-05 03:12 . 2008-04-05 03:12 2,048 --a------ C:\Windows\System32\asferror.dll
2008-04-05 03:11 . 2008-04-05 03:11 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-04-05 03:10 . 2008-04-05 03:10 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-04-05 03:10 . 2008-04-05 03:10 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-04-05 03:10 . 2008-04-05 03:10 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-04-05 03:10 . 2008-04-05 03:10 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-04-05 03:09 . 2008-04-05 03:09 3,504,824 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-04-05 03:09 . 2008-04-05 03:09 3,470,520 --a------ C:\Windows\System32\ntoskrnl.exe
2008-04-05 03:08 . 2008-04-05 03:08 2,048 --a------ C:\Windows\System32\tzres.dll
2008-04-04 03:34 . 2008-04-04 03:34 <DIR> d-------- C:\Poker Application
2008-04-04 02:03 . 2008-04-04 02:03 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Talkback
2008-04-04 02:02 . 2008-04-04 02:02 0 --a------ C:\Windows\nsreg.dat
2008-04-04 01:56 . 2008-04-04 01:56 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-04-04 01:56 . 2008-04-04 01:56 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-04-04 01:56 . 2008-04-04 01:56 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-04-04 01:56 . 2008-04-04 01:56 43,352 --a------ C:\Windows\System32\wups2.dll
2008-04-04 01:55 . 2008-04-04 01:55 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-04-04 01:55 . 2008-04-04 01:55 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-04-04 01:55 . 2008-04-04 01:55 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-04-04 01:55 . 2008-04-04 01:55 33,624 --a------ C:\Windows\System32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 04:26 --------- d-----w C:\Program Files\Windows Mail
2008-04-16 02:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-16 02:54 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-04-16 02:54 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-16 02:54 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-04-16 02:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-04-16 02:54 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-14 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 23:34 --------- d-----w C:\ProgramData\FLEXnet
2008-04-13 23:34 --------- d-----w C:\Program Files\Crackle
2008-04-11 19:48 --------- d-----w C:\Program Files\!KillBox
2008-04-10 20:27 --------- d-----w C:\ProgramData\Sonic
2008-04-09 18:01 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-06 04:50 --------- d-----w C:\ProgramData\Sony Corporation
2008-04-05 07:25 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-03 16:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 17:48 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@={AB0C8BE3-041C-47d6-8195-E089D32B38DD}

[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-10-05 13:54 303104 --a------ C:\DDI\overicon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-30 23:56 1006264]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-19 08:20 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-19 08:19 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-19 08:20 137752]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-06-08 08:35 118784]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2007-09-19 14:09 311296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-31 14:20 77824]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-01 10:08 4669440 C:\Windows\RtHDVCpl.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-27 20:29 5086008]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 12:38:44 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2007-08-14 23:05 98304 C:\Windows\System32\VESWinlogon.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\c:^users^ekxero^appdata^roaming^microsoft^windows^start menu^programs^startup^bat - auto update.lnk]
path=C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\Windows\pss\Bat - Auto Update.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^EKXERO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2006-10-23 03:24 620152 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 06:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msserver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-07-27 20:29 5086008 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Center Access Bar]
--a------ 2007-09-06 18:38 53248 c:\program files\sony\VAIO Center Access Bar\VCAB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
--a------ 2007-08-27 20:54 290816 C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIORegistration]
--a------ 2007-10-17 17:40 20480 C:\Program Files\Sony\First Experience\WelcomeLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a------ 2007-07-20 19:30 577536 C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
--a------ 2007-10-12 19:29 45056 C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5DAC28EA-6BCA-42E2-AA58-F96CFE909535}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9EB920A5-F7DA-46F5-AC0E-CC606009CFF6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{490366D1-167D-47C6-8335-248E282CFD66}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{8EC206C4-3177-4F7B-AFE9-52A3E6711048}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{3061F112-3633-481F-827E-D7AE11DD7703}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{71167967-2192-487A-8A1B-873446090E23}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{FD01A9F2-EB2E-4884-A25C-CFAAC314DDCA}"= Disabled:UDP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{DA833C6E-D78D-4FC0-9E60-975FF6B64759}"= Disabled:TCP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 NSUService;NSUService;"C:\Program Files\Sony\Network Utility\NSUService.exe" [2007-09-20 13:23]
R2 regi;regi;C:\Windows\system32\drivers\regi.sys [2007-04-18 00:09]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-09-19 08:24]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-10-28 08:28]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-19 08:19]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys [2007-08-28 21:58]
R3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-06-05 08:17]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-19 08:24]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 20:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-09 04:51]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2007-09-29 00:11]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2007-09-20 21:52]
S4 MSSysInterv1;MSSysInterv;C:\Windows\gkpaxt.exe service []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 06:52:26
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-17 6:53:19
ComboFix-quarantined-files.txt 2008-04-17 10:53:11
ComboFix2.txt 2008-04-14 17:55:04

Pre-Run: 117,455,740,928 bytes free
Post-Run: 117,429,510,144 bytes free
.
2008-04-16 04:27:15 --- E O F ---

Edited by ekxero, 17 April 2008 - 06:07 AM.

If ignorance is bliss, then knock the smile off my face.

#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 18 April 2008 - 03:31 PM

Sorry, can I have a new HJT log too, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 ekxero

ekxero
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 18 April 2008 - 04:49 PM

No worries.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:33 PM, on 4/18/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\EKXERO\Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM04\aim.exe
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - C:\Windows\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - C:\Windows\
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - C:\Windows\
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9508 bytes
If ignorance is bliss, then knock the smile off my face.

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 19 April 2008 - 03:41 PM

Open Notepad - don't use any other text editor or the script will fail.
Copy and paste the text in the quote box below into the document:

File::
C:\Windows\System32\vwuirrrf.ini

Folder::
C:\Perflib_Perfdata__755

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5FA6752A-C4A0-4222-88C2-928AE5AB4966}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C5B2F29-1F46-4639-A6B4-828942301D3E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15651C7C-E812-44A2-A9AC-B467A2233E7D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{622CC208-B014-4FE0-801B-874A5E5E403A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{965A592F-8EFA-4250-8630-7960230792F1}]


Save this as txtfile CFScript .
Then drag the CFScript into ComboFix.exe as you see in the screenshot below:

Posted Image

This will start ComboFix again.
A new log will be created, which I would like to see in your reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 ekxero

ekxero
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 19 April 2008 - 05:13 PM

ComboFix 08-04-13.3 - EKXERO 2008-04-19 18:06:58.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.371 [GMT -4:00]
Running from: C:\Users\EKXERO\Desktop\ComboFix.exe
Command switches used :: C:\Users\EKXERO\Desktop\CFScript.txt

FILE ::
C:\Windows\System32\vwuirrrf.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Perflib_Perfdata__755\
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\System32\vwuirrrf.ini

----- BITS: Possible infected sites -----

hxxp://ads.msn.com
.
((((((((((((((((((((((((( Files Created from 2008-03-19 to 2008-04-19 )))))))))))))))))))))))))))))))
.

2008-04-18 22:42 . 2008-04-18 22:42 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Template
2008-04-18 22:40 . 2008-04-18 22:40 <DIR> d-------- C:\Users\EKXERO\VBE
2008-04-17 06:53 . 2008-04-17 06:53 <DIR> d-------- C:\Users\EKXERO\WPDNSE
2008-04-16 23:36 . 2008-04-16 23:36 <DIR> d-------- C:\Program Files\Panda Security
2008-04-16 23:36 . 2008-04-16 23:36 1,745 --a------ C:\Windows\mozver.dat
2008-04-16 01:12 . 2007-02-01 12:02 136,376 --a------ C:\Users\EKXERO\GLF9E17GLF9E17.EXE
2008-04-16 01:11 . 2007-02-01 12:02 136,376 --a------ C:\Users\EKXERO\GLF986GLF986.EXE
2008-04-16 01:06 . 2001-09-28 17:00 243,200 --a------ C:\Users\EKXERO\GLB1A2B.EXE
2008-04-16 01:06 . 2007-02-01 12:02 136,376 --a------ C:\Users\EKXERO\GLFA77AGLFA77A.EXE
2008-04-15 22:55 . 2008-04-15 22:55 <DIR> d-------- C:\Users\EKXERO\SxsTemp
2008-04-15 22:55 . 2008-04-15 22:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-15 22:55 . 2008-04-15 22:56 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-04-15 22:54 . 2008-04-15 22:54 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-04-15 22:54 . 2008-04-15 22:54 1,686,528 --a------ C:\Windows\System32\gameux.dll
2008-04-15 22:37 . 2008-04-15 22:37 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
2008-04-14 13:44 . 2008-04-14 13:44 60,416 --a------ C:\Perflib_Perfdata__755
2008-04-14 13:44 . 2008-04-14 13:44 0 --a------ C:\Perflib_Perfdata__754
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\System32\{99F86071-B91B-4F2E-AD19-23948930A2AF}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\System32\{216E7746-1938-486F-885B-C1286C6CFC86}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\{30980A65-E098-4257-9B5B-4907277DA6C1}.dat
2008-04-13 03:52 . 2008-04-13 03:52 32 --ahs---- C:\Windows\{02AB36D7-01EE-4F07-8AF0-5240402CB36C}.dat
2008-04-13 03:15 . 2008-04-15 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-13 00:38 . 2008-04-13 17:42 <DIR> d-------- C:\Users\All Users\Symantec(74)
2008-04-13 00:38 . 2008-04-13 17:42 <DIR> d-------- C:\ProgramData\Symantec(74)
2008-04-13 00:18 . 2008-04-19 00:00 224 --a------ C:\Users\EKXERO\AppData\Roaming\wklnhst.dat
2008-04-11 17:26 . 2008-04-13 18:02 <DIR> d-------- C:\Windows\Temp(607)
2008-04-11 16:46 . 2008-04-11 16:47 <DIR> d-------- C:\Program Files\Share Cracker
2008-04-11 15:01 . 2008-04-11 15:01 <DIR> d-------- C:\Windows\ServiceProfiles\LocalService\TfsStore
2008-04-11 13:59 . 2008-04-13 20:03 <DIR> d-------- C:\Program Files\Ace Utilities
2008-04-11 13:11 . 2008-04-11 13:14 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-11 13:11 . 2008-04-11 13:14 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-11 13:11 . 2008-04-11 13:11 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-11 05:18 . 2008-04-11 15:48 <DIR> d-------- C:\Program Files\!KillBox
2008-04-11 03:53 . 2008-04-13 20:36 <DIR> d-------- C:\Users\All Users\SecTaskMan
2008-04-11 03:53 . 2008-04-13 20:36 <DIR> d-------- C:\ProgramData\SecTaskMan
2008-04-11 03:52 . 2008-04-13 19:47 <DIR> d-------- C:\Program Files\Security Task Manager
2008-04-11 02:28 . 2008-04-11 02:28 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Uniblue
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Roxio
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\Users\All Users\Roxio
2008-04-10 16:28 . 2008-04-10 16:28 <DIR> d-------- C:\ProgramData\Roxio
2008-04-10 15:51 . 2008-04-10 15:51 <DIR> d-------- C:\Program Files\DAEMON Tools
2008-04-10 15:40 . 2008-04-10 15:40 682,232 --a------ C:\Windows\System32\drivers\sptd.sys
2008-04-09 14:13 . 2008-04-09 14:13 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 14:13 . 2008-04-09 14:13 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 14:13 . 2008-04-09 14:13 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 14:13 . 2008-04-09 14:13 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 14:13 . 2008-04-09 14:13 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 14:13 . 2008-04-09 14:13 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 14:13 . 2008-04-09 14:13 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 14:13 . 2008-04-09 14:13 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 14:13 . 2008-04-09 14:13 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-09 14:11 . 2008-04-09 14:11 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 14:10 . 2008-04-09 14:10 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 14:06 . 2008-04-09 14:06 83,968 --a------ C:\Windows\System32\dnsrslvr.dll
2008-04-09 14:06 . 2008-04-09 14:06 24,576 --a------ C:\Windows\System32\dnscacheugc.exe
2008-04-09 14:01 . 2008-04-09 14:01 826,368 --a------ C:\Windows\System32\wininet.dll
2008-04-09 14:00 . 2008-04-09 14:00 1,831,424 --a------ C:\Windows\System32\inetcpl.cpl
2008-04-09 14:00 . 2008-04-09 14:00 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-09 14:00 . 2008-04-09 14:00 56,320 --a------ C:\Windows\System32\iesetup.dll
2008-04-09 14:00 . 2008-04-09 14:00 26,624 --a------ C:\Windows\System32\ieUnatt.exe
2008-04-09 01:54 . 2008-04-13 20:05 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\uTorrent
2008-04-09 01:54 . 2008-04-09 01:54 <DIR> d-------- C:\Program Files\uTorrent
2008-04-08 17:42 . 2008-04-08 17:42 <DIR> d-------- C:\Program Files\AIM04
2008-04-08 17:39 . 2008-04-15 21:51 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Aim
2008-04-08 01:39 . 2008-04-13 19:34 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Winamp
2008-04-08 01:39 . 2008-04-08 01:41 <DIR> d-------- C:\Program Files\Winamp
2008-04-06 01:25 . 2008-04-06 01:25 <DIR> d-------- C:\Program Files\DivX2.5.3
2008-04-06 01:04 . 2008-04-06 01:04 <DIR> d-------- C:\Users\All Users\ashampoo
2008-04-06 01:04 . 2008-04-06 01:04 <DIR> d-------- C:\ProgramData\ashampoo
2008-04-06 01:03 . 2008-04-13 19:34 <DIR> d-------- C:\Program Files\Ashampoo
2008-04-05 03:16 . 2008-04-05 03:16 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-04-05 03:16 . 2008-04-05 03:16 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-04-05 03:13 . 2008-04-05 03:13 803,328 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-04-05 03:13 . 2008-04-05 03:13 216,632 --a------ C:\Windows\System32\drivers\netio.sys
2008-04-05 03:13 . 2008-04-05 03:13 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-04-05 03:13 . 2008-04-05 03:13 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-04-05 03:13 . 2008-04-05 03:13 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-04-05 03:12 . 2008-04-05 03:12 1,327,104 --a------ C:\Windows\System32\quartz.dll
2008-04-05 03:12 . 2008-04-05 03:12 223,232 --a------ C:\Windows\System32\WMASF.DLL
2008-04-05 03:12 . 2008-04-05 03:12 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2008-04-05 03:12 . 2008-04-05 03:12 2,048 --a------ C:\Windows\System32\asferror.dll
2008-04-05 03:11 . 2008-04-05 03:11 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-04-05 03:10 . 2008-04-05 03:10 130,048 --a------ C:\Windows\System32\drivers\srv2.sys
2008-04-05 03:10 . 2008-04-05 03:10 101,888 --a------ C:\Windows\System32\drivers\mrxsmb.sys
2008-04-05 03:10 . 2008-04-05 03:10 84,992 --a------ C:\Windows\System32\drivers\srvnet.sys
2008-04-05 03:10 . 2008-04-05 03:10 58,368 --a------ C:\Windows\System32\drivers\mrxsmb20.sys
2008-04-05 03:09 . 2008-04-05 03:09 3,504,824 --a------ C:\Windows\System32\ntkrnlpa.exe
2008-04-05 03:09 . 2008-04-05 03:09 3,470,520 --a------ C:\Windows\System32\ntoskrnl.exe
2008-04-05 03:08 . 2008-04-05 03:08 2,048 --a------ C:\Windows\System32\tzres.dll
2008-04-04 03:34 . 2008-04-04 03:34 <DIR> d-------- C:\Poker Application
2008-04-04 02:03 . 2008-04-04 02:03 <DIR> d-------- C:\Users\EKXERO\AppData\Roaming\Talkback
2008-04-04 02:02 . 2008-04-04 02:02 0 --a------ C:\Windows\nsreg.dat
2008-04-04 01:56 . 2008-04-04 01:56 1,712,984 --a------ C:\Windows\System32\wuaueng.dll
2008-04-04 01:56 . 2008-04-04 01:56 1,524,224 --a------ C:\Windows\System32\wucltux.dll
2008-04-04 01:56 . 2008-04-04 01:56 53,080 --a------ C:\Windows\System32\wuauclt.exe
2008-04-04 01:56 . 2008-04-04 01:56 43,352 --a------ C:\Windows\System32\wups2.dll
2008-04-04 01:55 . 2008-04-04 01:55 549,720 --a------ C:\Windows\System32\wuapi.dll
2008-04-04 01:55 . 2008-04-04 01:55 163,000 --a------ C:\Windows\System32\wuwebv.dll
2008-04-04 01:55 . 2008-04-04 01:55 80,896 --a------ C:\Windows\System32\wudriver.dll
2008-04-04 01:55 . 2008-04-04 01:55 33,624 --a------ C:\Windows\System32\wups.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 04:26 --------- d-----w C:\Program Files\Windows Mail
2008-04-16 02:54 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-04-16 02:54 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-04-16 02:54 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-04-16 02:54 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-04-16 02:54 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-04-16 02:54 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-14 02:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-13 23:34 --------- d-----w C:\ProgramData\FLEXnet
2008-04-13 23:34 --------- d-----w C:\Program Files\Crackle
2008-04-11 19:48 --------- d-----w C:\Program Files\!KillBox
2008-04-10 20:27 --------- d-----w C:\ProgramData\Sonic
2008-04-09 18:01 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-06 04:50 --------- d-----w C:\ProgramData\Sony Corporation
2008-04-05 07:25 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-03 16:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 17:48 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@={AB0C8BE3-041C-47d6-8195-E089D32B38DD}

[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-10-05 13:54 303104 --a------ C:\DDI\overicon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-30 23:56 1006264]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2007-09-19 08:20 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2007-09-19 08:19 154136]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2007-09-19 08:20 137752]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-06-08 08:35 118784]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2007-09-19 14:09 311296]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-31 14:20 77824]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-01 10:08 4669440 C:\Windows\RtHDVCpl.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-07-27 20:29 5086008]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-09-11 12:38:44 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2007-08-14 23:05 98304 C:\Windows\System32\VESWinlogon.dll

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\c:^users^ekxero^appdata^roaming^microsoft^windows^start menu^programs^startup^bat - auto update.lnk]
path=C:\Users\EKXERO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bat - Auto Update.lnk
backup=C:\Windows\pss\Bat - Auto Update.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^EKXERO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2006-10-23 03:24 620152 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 06:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft windows installer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msserver]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-07-27 20:29 5086008 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Center Access Bar]
--a------ 2007-09-06 18:38 53248 c:\program files\sony\VAIO Center Access Bar\VCAB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
--a------ 2007-08-27 20:54 290816 C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIORegistration]
--a------ 2007-10-17 17:40 20480 C:\Program Files\Sony\First Experience\WelcomeLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
--a------ 2007-07-20 19:30 577536 C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWLASU]
--a------ 2007-10-12 19:29 45056 C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winampagent]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{5DAC28EA-6BCA-42E2-AA58-F96CFE909535}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9EB920A5-F7DA-46F5-AC0E-CC606009CFF6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{490366D1-167D-47C6-8335-248E282CFD66}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{8EC206C4-3177-4F7B-AFE9-52A3E6711048}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{3061F112-3633-481F-827E-D7AE11DD7703}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{71167967-2192-487A-8A1B-873446090E23}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{FD01A9F2-EB2E-4884-A25C-CFAAC314DDCA}"= Disabled:UDP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{DA833C6E-D78D-4FC0-9E60-975FF6B64759}"= Disabled:TCP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 NSUService;NSUService;"C:\Program Files\Sony\Network Utility\NSUService.exe" [2007-09-20 13:23]
R2 regi;regi;C:\Windows\system32\drivers\regi.sys [2007-04-18 00:09]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-09-19 08:24]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-10-28 08:28]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-09-19 08:19]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys [2007-08-28 21:58]
R3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-06-05 08:17]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-19 08:24]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 20:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-09 04:51]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2007-09-29 00:11]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2007-09-20 21:52]
S4 MSSysInterv1;MSSysInterv;C:\Windows\gkpaxt.exe service []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 18:09:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-19 18:10:20
ComboFix-quarantined-files.txt 2008-04-19 22:10:16
ComboFix2.txt 2008-04-17 10:53:20
ComboFix3.txt 2008-04-14 17:55:04

Pre-Run: 114,325,192,704 bytes free
Post-Run: 114,299,756,544 bytes free
.
2008-04-16 04:27:15 --- E O F ---
If ignorance is bliss, then knock the smile off my face.

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 20 April 2008 - 03:04 PM

How do things seem to be running now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 ekxero

ekxero
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:35 PM

Posted 21 April 2008 - 01:53 PM

Everything is running just fine. I appreciate the help a lot. Hopefully, when I win some cash playing online poker I can contribute to a donation for helping me out. I just wanted to be sure that I removed all traces of malware. Thanks a bunch for helping me.
If ignorance is bliss, then knock the smile off my face.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 22 April 2008 - 02:57 PM

Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Do not show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programmes:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users