Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deleted files come back, registry errors, what's up?


  • This topic is locked This topic is locked
51 replies to this topic

#1 smm

smm

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 01 March 2009 - 01:23 AM

Okay, I am not sure where to start. For the last 36 hours, I have been almost glued to the computer trying to figure out what has happened to it. My family is ready to disown me at this point, and I am no closer to knowing what is going on....so I need help.

Our Trend Micro Internet Security subscription expired this past week. Around the same time our Webroot Spy Sweeper performed an update and had an error saying that our subscription expired (even though we have 9 months left). Consequently, we had at least a few days where we weren't protected. We were getting all sorts of spam and block ups and who knows what else.

I noticed that we weren't protected, so I updated Microsoft Defender and emailed Spy Sweeper. I ran the Registry Booser 2 scan with Uniblue and came up with over 1400 registry errors. I created a back-up and "fixed" them. I was also trying to install Windows updates, uninstall Trend, reinstall Spy Sweeper, and Install a trial version of Norton Internet Security 2009 around that same time. The results were: Trend wouldn't uninstall, Spy Sweeper wouldn't reinstall, Norton installed but had issues and Windows updates worked however, I lost my D:/ and E:/ drives (both had drivers installed but hardware not found), PCI modem and print drivers. I couldn't use the internet. One of the Windows updates was for net framework 3.5. I started having net framework errors and 1603 errors.

I did a system restore. The net framework errors stayed so I went through the process to delete and reinstall them with all of the updates. I decided not to clean the registry at this time and concentrated on trying to get my security up to snuff. Through the Windows installer cleanup and Add/Remove programs, I tried in vain to remove Trend, SS, Norton and even Nero 7. Some looked like they deleted, however, upon restarting the computer, they were back. SS was giving me an error about missing the uninstaller file. Nero was saying something about different versions. I researched the internet (yes, I got internet access back after rebooting) and found trends removal tool, spy sweepers removal tool, nortons removal tool and a tool to even remove Nero.

I used the uninstaller tools and the programs seemed to go away, but then continually come back upon rebooting the computer. The problem is is that now they no longer show up in the Add/Delete programs section. They do show up on the desktop, All Programs, and program files folders. However, they do not have a way to uninstall anymore. Following another thread, I did a regedt and went to HK_local machine/software/microsoft/windows/currentversion/uninstall. I tried to delete the files through this process but they won't go away! I believe some of the program files have been deleted but there is alot of leftover junk.

I used the CCleaner to scan my computer. It came up with over 1500 errors, alot of them were related to the files I have been trying to delete, so I once again did a backup and deleted the files.

Sometime in all of these changes, I have managed to get my drives back. My computer is running much faster; and I have been able to download Online Armor as my new firewall package. So what is the problem, you ask... I still cannot reinstall Spy Sweeper 5 which is my antivirus, antispyware protection. My computer still has been unable to get rid of Nero, Norton and Trend. I did see in the Forums that InstallShield update manager or ISScript.exe or even Live Update can cause programs to resurrect upon rebooting. Does anyone know anything about that?

The technical details of my system are the following: XP SP3. I started out the the XP MCE 2005 but it changed through an update with Microsoft.

I don't have proof, but am worried that something has infected my computer and is moving files, changing extensions, and doing things that cause icons (short cuts, etc.) to not work. Sometimes also, my computer closes internet explorer without warning and reboots or gets stuck without warning. My hijack This report seems rather light on information (doesn't include a lot of programs, for example), but I don't know what that means...

Thank you in advance for taking the time to look at this report. I appreciate it.

Thanks,
Sheila



Here is my Hijack This Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:14 AM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://aol.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.223.224:2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [CreateCD_Reminder] "C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=7&ar=msnhome
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 10098 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:55 PM

Posted 15 March 2009 - 07:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:11:55 PM

Posted 20 March 2009 - 12:01 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 28 March 2009 - 12:18 PM

OP has requested topic be reopened via PM. I will tell them to make a new one as this is old. I'm requesting they send me new link so this one with too many replies can be deleted.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 01 April 2009 - 03:10 PM

Thank you for looking at these reports for me. My computer has been having issues for a while. I am wondering if I should just erase the hard drive and start over.

Sometimes it freezes...other times it shuts down internet explorer... It seems to take longer to reboot. I will come into the room and the harddrive is working overtime and nobody is on it. Sometimes the CPU usage will be at 100% and nothing obvious is running. There are certain icons that I will click on and nothing will happen. Some of these icons are on the control panel. My web pages are all messed up. Sometimes AOL mail doesn't have the boxes to check by each new message. I am missing web buttons. For example, my trial version of Online-Armor expired yesterday, I went to the TallEmu website to purchase Online-Armor and couldn't because I had no way to add it to my cart. (No "add to cart" button) I ended up using another computer to purchase the software. Something else happen yesterday and now the computer is SOOOO slow...but mainly when using AOL mail or loading web pages. I can switch to or add a new web page quickly, however, it is the loading part that is taking forever! For example, I loaded my mail, checked a message, deleted and tried to move to another message. The screen disappeared (went white) and it reloaded the page but it took 4 minutes! Meanwhile the CPU usage was sometimes at 0%.

Are these registry issues, OS dying issues, or am I infected with something?

I have XP SP3.

Below are a DDS report and HJT report. They look the same but just in case... Also, I have a DDS attach.txt file included.

DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 14:12:02.17 on Wed 04/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1279 [GMT -5:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\user\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = 169.254.223.224:2
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [SoundMan] "c:\windows\SOUNDMAN.EXE"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [ehTray] "c:\windows\ehome\ehtray.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
mRun: [Ad Muncher] "c:\program files\ad muncher\AdMunch.exe" /bt
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] c:\program files\webroot\webrootsecurity\SpySweeperUI.exe /startintray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: AutorunsDisabled\bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-13 29808]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-2-28 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-2-28 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-2-28 28872]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2005-2-23 14336]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-2-23 14336]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-2-28 1402568]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-13 4048240]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-3-1 1180976]
R3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-2-28 3538632]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*
regfile\shell\edit\command=%SystemRoot%\system32\NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-03-31 17:53 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-31 17:32 <DIR> --d----- c:\program files\Ad Muncher
2009-03-31 17:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ad Muncher
2009-03-23 11:34 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-23 11:33 <DIR> --d----- c:\program files\iPod
2009-03-23 11:33 <DIR> --d----- c:\program files\iTunes
2009-03-23 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 11:06 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-02 22:11 130,560 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-02-14 13:08 1,553,784 a------- c:\windows\WRSetup.dll
2009-02-13 18:09 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-13 18:09 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 18:09 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-23 17:06 164 -------- C:\install.dat
2008-07-17 12:04 108,656 a------- c:\program files\clwireg-x86.exe
2008-07-15 02:00 2,698,976 a------- c:\program files\systemtweaker.exe
2008-07-15 01:56 4,257,264 a------- c:\program files\RegistryBooster2.exe
2008-07-17 13:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071720080718\index.dat

============= FINISH: 14:18:29.76 ===============



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:40 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = http://aol.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.223.224:2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SoundMan] "C:\WINDOWS\SOUNDMAN.EXE"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=7&ar=msnhome
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 11458 bytes

Attached Files



#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:55 PM

Posted 01 April 2009 - 03:20 PM

Hello smm,

For the sake of continuity, I have merged your new topic with your previously existing topic which boopme reopened.

An HJT team member should be with you within a day or so.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:55 PM

Posted 02 April 2009 - 10:43 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

First update Malwarebytes' Anti-Malware and run a full scan. Post the log from that. If you can't update it , just run the scan and post the log.

* Anyone other than the originator of this thread, you would be best advised to not run combofix without guidance from someone trained in its use. It is a very powerful tool that can cause damage to your computer if used wrong.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

If combofix doesn't run, rename combofix.exe to multifix.exe and reboot to safe mode and run it from there. Post the log up as well.

Does you computer run the same, or did the two scans make a difference?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 05 April 2009 - 04:30 PM

Hello Hoov. Thank you for accepting the task of trying to figure out what is going wrong with my computer.

Since my first post, I haven't done much to try to fix the computer besides Microsoft security updates. On March 31, I did, however, download a paid version of Online-Armor (trial ended), downloaded Ad Muncher and a Java Update. I did these changes before sending the last reports.

I was having trouble with the computer before, but when I made these changes, it added another layer of new issues: computer screen unexpectedly goes to black and need to turn off computer at power strip to reboot, also webpages suddenly starting taking forever (minutes) to load. There were issues loading them because I was getting error messages saying I wasn't authorized to do it, even though I have administrative rights. Also Online Armor has had trouble loading upon reboot and errored on me a couple of times.

I did some investigating about the issues including the missing internet buttons and found that I do not have any "Internet Settings". I looked at my registry and inetcpl.cpl is missing from the registry also. When I look under HKEY_CURRENT_USER/SOFTWARE/Policies/Microsoft... I don't even have an "internet Explorer" option. How or why, I do not know. I do know that over the last several months we have been inundated with tons of spam and junk online. When I am on a webpage and hit my back browser, it actually redirects me to another website or advertisement - even though the screen may not change. I was having to hit the browser button several times for it to actually move, so I checked my back browsers history and found what was happening. Installing Online Armor and now Ad Muncher has helped some.

I ran a "scannow" and wasn't able to complete it because there were errors, and I needed to install my XP disks. I don't think I received disks with my computer... just a card with the serial number on it.

I thought maybe XP SP3 was possibly the issue based on looking at various forums. I reinstalled it. But nothing has really changed. I was thinking of maybe going from IE 7 to IE8 but haven't done that.

Lastly I pulled the session log from Webroot's Spy Sweeper and was really scared by what I saw but am not sure what any of it means. I had lots of "WARNING: Unable to secure run key from ambiguous path exploit for HKLM/Software/Microsoft/Windows/CurrentVersion/Run/...NvCplDaemon, ISUSPM startup, ISUSScheduler, SunJavaUpdateSched, Ad Muncher, SpySweeper, @OnlineArmor GUI". All had "SRegSetDataFailed -1-". This appears to be an almost daily error since 3/16/09.

Also, had "WARNING: Antivirus Engine for IFO returned [File Corrupted] on [C:\Documents and Settings\user\My Documents...." on 10+ documents plus the same warning on [c:\..\local settings\temporary internet files\...], [c:\...cookies\...], and something called [c:\recycler\....].

It seems that every Word file I have sent over the internet has also had the "file corrupted" message. I would be mortified if I am sending viruses to others. Please tell me that is not the case.

The Webroot Spy Sweeper Session log was 19 pages long for the time period of 3/1/09 to 4/5/09.


I updated Anti-Malware and am running the scan. I will post it soon as well as the combofix one.

More to come. Thanks again for your help.

Sheila

#9 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 05 April 2009 - 04:38 PM

Hoov,

The following is the Malwarebyte's Log for today. FYI, I did a scan on 4/2/09 and there were no issues (but it also wasn't updated).


Malwarebytes' Anti-Malware 1.35
Database version: 1942
Windows 5.1.2600 Service Pack 3

4/5/2009 4:35:19 PM
mbam-log-2009-04-05 (16-35-19).txt

Scan type: Full Scan (C:\|K:\|)
Objects scanned: 341003
Time elapsed: 1 hour(s), 19 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The Combofix is next.

Thanks again,

Sheila

#10 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 05 April 2009 - 07:44 PM

Dear Hoov,

Okay here is the Combofix Log File. I just want you to know that I could not download combofix onto my computer like normal. I could download any other file, but for some reason, I couldn't get this to work. I tried all three downloads and it would go through the motions of downloading but stay at 0%. I also tried downloading in safe mode with networking but couldn't even get online, which was fine because I couldn't get Online Armor to work in safe mode.

I finally got it to work by downloading it onto a CD from another computer and copying that file onto my desktop.

Anyway, here it is:

ComboFix 09-04-04.01 - user 2009-04-05 18:59:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1462 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Online Armor Firewall *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\cleanmgr.exe
c:\windows\setup.exe
c:\windows\system32\_000111_.tmp.dll

----- BITS: Possible infected sites -----

hxxp://lh4.ggpht.com
hxxp://lh5.ggpht.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-05 18:43 . 2009-04-05 18:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-04-05 18:33 . 2009-04-05 18:34 664 --a------ c:\windows\system32\d3d9caps.dat
2009-04-02 19:53 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2009-04-02 16:24 . 2008-04-13 19:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-04-02 16:24 . 2001-08-17 22:36 23,040 --a--c--- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-04-02 16:23 . 2001-08-17 22:37 99,865 --a--c--- c:\windows\system32\dllcache\xlog.exe
2009-04-02 16:23 . 2004-08-10 07:00 28,288 --a--c--- c:\windows\system32\dllcache\xjis.nls
2009-04-02 16:23 . 2001-08-17 22:37 27,648 --a--c--- c:\windows\system32\dllcache\xrxftplt.exe
2009-04-02 16:23 . 2004-08-03 22:29 19,455 --a--c--- c:\windows\system32\dllcache\wvchntxx.sys
2009-04-02 16:23 . 2008-04-13 19:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-04-02 16:23 . 2001-08-17 12:11 16,970 --a--c--- c:\windows\system32\dllcache\xem336n5.sys
2009-04-02 16:23 . 2004-08-03 22:29 12,063 --a--c--- c:\windows\system32\dllcache\wsiintxx.sys
2009-04-02 16:23 . 2008-04-13 19:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-04-02 16:23 . 2001-08-17 22:37 4,608 --a--c--- c:\windows\system32\dllcache\xrxflnch.exe
2009-04-02 16:21 . 2001-08-17 13:28 771,581 --a--c--- c:\windows\system32\dllcache\winacisa.sys
2009-04-02 16:21 . 2001-08-17 13:28 701,386 --a--c--- c:\windows\system32\dllcache\wdhaalba.sys
2009-04-02 16:21 . 2004-08-03 22:31 154,624 --a--c--- c:\windows\system32\dllcache\wlluc48.sys
2009-04-02 16:21 . 2001-08-17 22:36 87,040 --a--c--- c:\windows\system32\dllcache\wiafbdrv.dll
2009-04-02 16:21 . 2001-08-17 22:36 53,760 --a--c--- c:\windows\system32\dllcache\wiamsmud.dll
2009-04-02 16:21 . 2004-08-10 07:00 41,600 --a--c--- c:\windows\system32\dllcache\weitekp9.dll
2009-04-02 16:21 . 2001-08-17 12:10 35,871 --a--c--- c:\windows\system32\dllcache\wbfirdma.sys
2009-04-02 16:21 . 2001-08-17 12:12 34,890 --a--c--- c:\windows\system32\dllcache\wlandrv2.sys
2009-04-02 16:21 . 2008-04-13 13:45 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys
2009-04-02 16:21 . 2004-08-10 07:00 31,232 --a--c--- c:\windows\system32\dllcache\weitekp9.sys
2009-04-02 16:21 . 2004-08-03 22:29 23,615 --a--c--- c:\windows\system32\dllcache\wch7xxnt.sys
2009-04-02 16:21 . 2008-04-13 13:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2009-04-02 16:19 . 2001-08-17 13:28 794,654 --a--c--- c:\windows\system32\dllcache\usr1801.sys
2009-04-02 16:18 . 2001-08-17 22:36 525,568 --a--c--- c:\windows\system32\dllcache\tridxp.dll
2009-04-02 16:17 . 2001-08-17 14:01 241,664 --a--c--- c:\windows\system32\dllcache\tosdvd02.sys
2009-04-02 16:16 . 2001-08-17 12:18 285,760 --a--c--- c:\windows\system32\dllcache\stlnata.sys
2009-04-02 16:15 . 2001-08-17 14:56 147,200 --a--c--- c:\windows\system32\dllcache\smidispb.dll
2009-04-02 16:14 . 2001-08-17 22:36 238,592 --a--c--- c:\windows\system32\dllcache\sisgrv.dll
2009-04-02 16:13 . 2001-08-17 22:36 386,560 --a--c--- c:\windows\system32\dllcache\sgiul50.dll
2009-04-02 16:12 . 2001-08-17 22:36 495,616 --a--c--- c:\windows\system32\dllcache\sblfx.dll
2009-04-02 16:11 . 2001-08-17 13:28 899,146 --a--c--- c:\windows\system32\dllcache\r2mdkxga.sys
2009-04-02 16:10 . 2008-04-13 19:12 159,232 --a--c--- c:\windows\system32\dllcache\ptpusd.dll
2009-04-02 16:09 . 2008-04-13 19:10 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll
2009-04-02 16:08 . 2001-08-17 14:05 351,616 --a--c--- c:\windows\system32\dllcache\ovcodek2.sys
2009-04-02 16:07 . 2001-08-17 12:50 198,144 --a--c--- c:\windows\system32\dllcache\nv3.sys
2009-04-02 16:07 . 2001-08-17 22:36 123,776 --a--c--- c:\windows\system32\dllcache\nv3.dll
2009-04-02 16:07 . 2001-08-17 12:49 51,552 --a--c--- c:\windows\system32\dllcache\ntgrip.sys
2009-04-02 16:07 . 2001-08-17 22:36 38,912 --a--c--- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-04-02 16:07 . 2008-04-13 13:54 28,672 --a--c--- c:\windows\system32\dllcache\nscirda.sys
2009-04-02 16:07 . 2001-08-17 13:47 9,344 --a--c--- c:\windows\system32\dllcache\ntapm.sys
2009-04-02 16:07 . 2001-08-17 13:53 7,552 --a--c--- c:\windows\system32\dllcache\nsmmc.sys
2009-04-02 16:06 . 2004-08-03 22:31 132,695 --a--c--- c:\windows\system32\dllcache\netwlan5.sys
2009-04-02 16:06 . 2001-08-17 12:20 126,080 --a--c--- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-04-02 16:06 . 2001-08-17 12:20 87,040 --a--c--- c:\windows\system32\dllcache\nm6wdm.sys
2009-04-02 16:06 . 2001-08-17 12:11 65,278 --a--c--- c:\windows\system32\dllcache\netflx3.sys
2009-04-02 16:06 . 2001-08-17 22:36 60,480 --a--c--- c:\windows\system32\dllcache\neo20xx.dll
2009-04-02 16:06 . 2004-08-10 07:00 53,248 --a--c--- c:\windows\system32\dllcache\nextlink.dll
2009-04-02 16:06 . 2001-08-17 12:50 39,264 --a--c--- c:\windows\system32\dllcache\neo20xx.sys
2009-04-02 16:06 . 2001-08-17 12:12 32,840 --a--c--- c:\windows\system32\dllcache\ngrpci.sys
2009-04-02 16:04 . 2004-08-10 07:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-04-02 16:04 . 2004-08-10 07:00 229,439 --a--c--- c:\windows\system32\dllcache\multibox.dll
2009-04-02 16:04 . 2001-08-17 12:50 103,296 --a--c--- c:\windows\system32\dllcache\mtxvideo.sys
2009-04-02 16:04 . 2004-08-10 07:00 98,304 --a--c--- c:\windows\system32\dllcache\msir3jp.dll
2009-04-02 16:04 . 2008-04-13 13:46 49,024 --a--c--- c:\windows\system32\dllcache\mstape.sys
2009-04-02 16:04 . 2008-04-13 13:54 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-04-02 16:04 . 2001-08-17 13:50 21,888 --a--c--- c:\windows\system32\dllcache\mxcard.sys
2009-04-02 16:04 . 2001-08-17 13:48 12,416 --a--c--- c:\windows\system32\dllcache\msriffwv.sys
2009-04-02 16:04 . 2001-08-17 14:00 2,944 --a--c--- c:\windows\system32\dllcache\msmpu401.sys
2009-04-02 16:02 . 2001-08-17 13:28 802,683 --a--c--- c:\windows\system32\dllcache\ltsm.sys
2009-04-02 16:01 . 2004-08-10 07:00 1,158,818 --a--c--- c:\windows\system32\dllcache\korwbrkr.lex
2009-04-02 16:00 . 2004-08-10 07:00 471,102 --a--c--- c:\windows\system32\dllcache\imskdic.dll
2009-04-02 15:59 . 2008-04-13 19:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2009-04-02 15:58 . 2004-08-10 07:00 10,129,408 --a--c--- c:\windows\system32\dllcache\hwxkor.dll
2009-04-02 15:57 . 2001-08-17 13:28 907,456 --a--c--- c:\windows\system32\dllcache\hcf_msft.sys
2009-04-02 15:56 . 2001-08-17 14:56 1,733,120 --a--c--- c:\windows\system32\dllcache\g400d.dll
2009-04-02 15:55 . 2001-08-17 13:28 595,647 --a--c--- c:\windows\system32\dllcache\es56cvmp.sys
2009-04-02 15:54 . 2001-08-17 13:28 634,134 --a--c--- c:\windows\system32\dllcache\el656ct5.sys
2009-04-02 15:53 . 2001-08-17 12:14 952,007 --a--c--- c:\windows\system32\dllcache\diwan.sys
2009-04-02 15:52 . 2001-08-17 22:36 614,429 --a--c--- c:\windows\system32\dllcache\digiview.exe
2009-04-02 15:51 . 2008-04-13 19:11 249,856 --a--c--- c:\windows\system32\dllcache\ctmasetp.dll
2009-04-02 15:50 . 2004-08-10 07:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2009-04-02 15:49 . 2001-08-17 13:28 871,388 --a--c--- c:\windows\system32\dllcache\bcmdm.sys
2009-04-02 15:48 . 2001-08-17 14:55 382,592 --a--c--- c:\windows\system32\dllcache\atidrab.dll
2009-04-02 15:47 . 2001-08-17 13:28 762,780 --a--c--- c:\windows\system32\dllcache\3cwmcru.sys
2009-04-02 15:37 . 2004-08-10 07:00 7,168 --a--c--- c:\windows\system32\dllcache\wamregps.dll
2009-04-02 15:36 . 2001-08-17 14:56 66,048 --a--c--- c:\windows\system32\dllcache\s3legacy.dll
2009-04-02 15:35 . 2004-08-10 07:00 169,984 --a--c--- c:\windows\system32\dllcache\iisui.dll
2009-04-02 15:35 . 2004-08-10 07:00 94,720 --a--c--- c:\windows\system32\dllcache\certmap.ocx
2009-04-02 15:35 . 2004-08-10 07:00 19,968 --a--c--- c:\windows\system32\dllcache\inetsloc.dll
2009-04-02 15:35 . 2004-08-10 07:00 14,336 --a--c--- c:\windows\system32\dllcache\iisreset.exe
2009-04-02 15:35 . 2004-08-10 07:00 7,680 --a--c--- c:\windows\system32\dllcache\inetmgr.exe
2009-04-02 15:35 . 2004-08-10 07:00 6,144 --a--c--- c:\windows\system32\dllcache\ftpsapi2.dll
2009-04-02 15:35 . 2004-08-10 07:00 5,632 --a--c--- c:\windows\system32\dllcache\iisrstap.dll
2009-03-31 17:53 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-31 17:32 . 2009-03-31 17:32 <DIR> d-------- c:\program files\Ad Muncher
2009-03-31 17:32 . 2009-04-01 16:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ad Muncher
2009-03-23 11:34 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-23 11:33 . 2009-03-23 11:34 <DIR> d-------- c:\program files\iTunes
2009-03-23 11:33 . 2009-03-23 11:33 <DIR> d-------- c:\program files\iPod
2009-03-23 11:33 . 2009-03-23 11:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-23 11:06 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 00:12 --------- d-----w c:\documents and settings\user\Application Data\OnlineArmor
2009-04-05 18:54 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 16:54 --------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-02 21:07 --------- d--h--w c:\program files\InstallShield Installation Information
2009-04-02 21:06 --------- d-----w c:\program files\eBay
2009-03-31 22:49 --------- d-----w c:\program files\Java
2009-03-26 21:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 21:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-23 16:33 --------- d-----w c:\program files\Common Files\Apple
2009-03-23 16:28 --------- d-----w c:\program files\QuickTime
2009-03-18 21:43 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 17:28 --------- d-----w c:\documents and settings\user\Application Data\U3
2009-03-09 10:19 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 04:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 03:11 130,560 ----a-w c:\documents and settings\user\Application Data\GDIPFONTCACHEV1.DAT
2009-03-01 06:53 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-03-01 03:22 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-28 10:14 --------- d-----w c:\program files\Webroot
2009-02-28 10:14 --------- d-----w c:\documents and settings\user\Application Data\Webroot
2009-02-28 09:45 --------- d-----w c:\program files\Common Files\Ahead
2009-02-28 09:04 --------- d-----w c:\program files\Tall Emu
2009-02-28 08:43 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 22:20 --------- d-----w c:\program files\Windows Desktop Search
2009-02-26 22:13 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-02-21 17:39 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-21 17:39 --------- d-----w c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-02-21 17:25 --------- d-----w c:\program files\Common Files\AOL
2009-02-21 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-14 18:08 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-02-13 23:09 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-13 23:09 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-02-13 23:09 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 19:13 --------- d-----w c:\program files\Coupons
2009-01-23 22:06 164 ------w C:\install.dat
2008-07-17 17:04 108,656 ----a-w c:\program files\clwireg-x86.exe
2008-07-15 07:00 2,698,976 ----a-w c:\program files\systemtweaker.exe
2008-07-15 06:56 4,257,264 ----a-w c:\program files\RegistryBooster2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 13:00 238968 --a------ c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"SoundMan"="c:\windows\SOUNDMAN.EXE" [2004-11-02 77824]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-10-07 6250696]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2009-03-31 779776]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-02-14 6308728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MaxRecentDocs"= 99 (0x63)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-10-07 886984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Forget Me Not.lnk]
backup=c:\windows\pss\Forget Me Not.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2004-05-12 15:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-09-18 00:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-09-18 00:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintServer Diagnostic]
--a------ 2004-11-24 17:09 266240 c:\program files\Print Server\PTP\PSDiagnostic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\OLYMPUS\\CAMEDIA Master 4.1\\CAMEDIA Master.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-02-13 29808]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-02-28 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-02-28 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-02-28 28872]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2005-02-23 14336]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-02-28 1402568]
R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-02-28 3538632]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-03-01 1180976]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe /AUTORUN
\Shell\configure\command - D:\setup.exe
\Shell\install\command - D:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bbf0c1a-bf15-11db-9add-001111e85a08}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f604e46-8b23-11dc-9b31-001111e85a08}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{582610B8-E496-4813-993C-4B027173FE38}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-22 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 19:12]

2009-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-03-30 c:\windows\Tasks\wrSpySweeper_L92ABB8D5283945858A22CE5A3FBAF74D.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-02-14 13:08]

2009-03-30 c:\windows\Tasks\wrSpySweeper_L92ABB8D5283945858A22CE5A3FBAF74D.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2009-02-14 13:08]

2009-03-30 c:\windows\Tasks\wrSpySweeper_L92ABB8D5283945858A22CE5A3FBAF74D.job
- C:\ [2009-04-05 19:07]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe
MSConfigStartUp-pccguide - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uSearch Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 169.254.223.224:2
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
Handler: AutorunsDisabled\bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367994694-1612474640-1096060522-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,9e,44,a2,a5,fe,
16,ee,16,c8,28,51,af,b0,29,a3,98,fc,f8,a7,c1,62,82,07,3a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,f6,0a,63,ab,6a,
bb,f3,98,71,3b,04,66,8b,46,0d,96,61,52,d5,d3,0c,4e,c8,a2,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,a1,02,01,2b,60,
e1,e3,5e,25,da,ec,7e,55,20,c9,26,f4,83,b4,6e,35,b6,a1,28,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,ba,aa,40,80,39,
0b,b3,3d,3e,1e,9e,e0,57,5a,93,61,57,65,f5,98,3f,39,34,b1,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,78,9a,33,bc,cf,
5d,8c,09,cd,44,cd,b9,a6,33,6c,cd,74,aa,a9,40,19,dd,4e,2c,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,f5,0d,ad,81,64,
25,55,fa,b0,18,ed,a7,3f,8d,37,a4,1c,31,91,92,ea,72,6d,9f,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,7d,df,00,d2,ef,
1e,76,bd,31,77,e1,ba,b1,f8,68,02,e8,b6,cf,a3,51,fb,fd,f4,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,4b,2e,e8,90,b1,
1a,6f,0b,83,6c,56,8b,a0,85,96,ab,f9,d1,58,65,9f,3c,e8,18,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,14,7d,c0,30,b6,
27,a0,1b,51,fa,6e,91,28,9e,14,cc,49,f1,a7,32,d4,53,11,dd,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,ec,f5,c9,c1,fc,
12,64,71,b1,cd,45,5a,a8,c4,f8,b9,e4,f1,51,e8,4c,d7,9f,c1,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,5c,b0,42,ad,ca,
e6,a3,bf,e3,0e,66,d5,eb,bc,2f,6b,0d,93,0f,f2,3e,bf,56,2b,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,4f,dc,fc,65,ec,
03,48,f8,fa,ea,66,7f,d4,3b,6b,70,a3,66,ba,95,1a,40,2d,df,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [724]
??\c:\windows\system32\csrss.exe [808]
??\c:\windows\system32\winlogon.exe [832]
c:\windows\system32\services.exe [876]
c:\windows\system32\lsass.exe [888]
c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1068]
c:\windows\system32\svchost.exe [1112]
c:\windows\system32\svchost.exe [1204]
c:\program files\Windows Defender\MsMpEng.exe [1300]
c:\windows\System32\svchost.exe [1340]
c:\windows\system32\svchost.exe [1488]
c:\windows\system32\svchost.exe [1604]
c:\windows\system32\spoolsv.exe [136]
c:\program files\LSI SoftModem\agrsmsvc.exe [356]
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [440]
c:\program files\Bonjour\mDNSResponder.exe [508]
c:\windows\eHome\ehRecvr.exe [584]
c:\windows\eHome\ehSched.exe [656]
c:\program files\Java\jre6\bin\jqs.exe [788]
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [1388]
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe [1532]
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [116]
c:\windows\system32\nvsvc32.exe [1804]
c:\windows\system32\HPZipm12.exe [2172]
c:\windows\system32\tcpsvcs.exe [2268]
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe [2348]
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe [2448]
c:\windows\system32\svchost.exe [2520]
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [2592]
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe [2736]
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [3004]
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [3144]
c:\windows\system32\dllhost.exe [628]
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe [1152]
c:\windows\System32\alg.exe [3840]
c:\windows\system32\CF9288.exe [2896]
c:\program files\Microsoft IntelliType Pro\type32.exe [3440]
c:\windows\SOUNDMAN.EXE [1232]
c:\program files\Microsoft IntelliPoint\point32.exe [2820]
c:\program files\HP\HP Software Update\HPWuSchd2.exe [1284]
c:\windows\ehome\ehtray.exe [3656]
c:\windows\eHome\ehmsas.exe [4076]
c:\program files\Ad Muncher\AdMunch.exe [1832]
c:\program files\Java\jre6\bin\jusched.exe [2176]
c:\program files\Common Files\InstallShield\UpdateService\issch.exe [2468]
c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [3068]
c:\windows\system32\ctfmon.exe [2296]
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [3704]
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe [1280]
c:\program files\Webroot\WebrootSecurity\SSU.EXE [1308]
c:\combofix\catchme.cfexe [1084]
.
**************************************************************************
.
Completion time: 2009-04-05 19:20:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 00:19:17

Pre-Run: 57,952,440,320 bytes free
Post-Run: 57,892,315,136 bytes free

451 --- E O F --- 2009-04-03 14:24:48



I eagerly wait your opinion and expertise.

Thanks,

Sheila

#11 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 05 April 2009 - 07:55 PM

Dear Hoov,

I guess there are several saved files from the combofix program. I am adding them here.

ComboFix Quarantined Files

2005-02-23 13:56:59 A------- 2,804,224 C:\Qoobox\Quarantine\C\WINDOWS\system32\_000111_.tmp.dll.vir
2005-02-23 16:04:39 A------- 111,552 C:\Qoobox\Quarantine\C\WINDOWS\setup.exe.vir
2005-06-14 17:49:27 A------- 7,076 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2005-06-14 17:49:27 A------- 7,490 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2007-10-08 12:10:29 A------- 64,000 C:\Qoobox\Quarantine\C\WINDOWS\cleanmgr.exe.vir
2009-04-05 18:53:44 A------- 58 C:\Qoobox\Quarantine\catchme.log
2009-04-05 19:05:49 A------- 10,083 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-04-05 19:06:34 A------- 1,016 C:\Qoobox\Quarantine\Registry_backups\Legacy_IPRIP.reg.dat
2009-04-05 19:06:35 A------- 3,674 C:\Qoobox\Quarantine\Registry_backups\Service_Iprip.reg.dat
2009-04-05 19:17:00 A------- 622 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-Aim6.reg.dat
2009-04-05 19:17:00 A------- 624 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-mmtask.reg.dat
2009-04-05 19:17:01 A------- 482 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-pccguide.reg.dat
2009-04-05 19:17:01 A------- 532 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-DXDllRegExe.reg.dat
2009-04-05 19:17:01 A------- 628 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-MMTray.reg.dat


ADD-REMOVE PROGRAMS FILE
23_24_2500Tour
2400
2400_2500Help
2400_2500trb
7-Zip 4.57
Acrobat.com
Ad Muncher v4.72 Build 30400
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Adobe Shockwave Player
Agere Systems PCI Soft Modem
AiO_Scan
AiOSoftware
Alt-Tab Task Switcher Powertoy for Windows XP
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoUpdate
BIAS SoundSoap PE 2.1.1
Bonjour
BufferChm
Burn and Go X
Business Contact Manager for Outlook 2003
Calculator Powertoy for Windows XP
CardRecovery
CCleaner (remove only)
CDex extraction audio
ClearType Tuning Control Panel Applet
Click to DVD 2.0.03 Menu Data
Click to DVD 2.4.02
CmdHere Powertoy For Windows XP
Compatibility Pack for the 2007 Office system
Copy
CopyProfile
Coupon Printer for Windows
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
Director
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DocProc
DocumentViewer
DVgate Plus
exPressit S.E. 2.2
Fax
forteManager
FUJIFILM USB Driver
GdiplusUpgrade
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Diagnostic Assistant
HP Driver Diagnostics
HP Image Zone 4.2
HP Photosmart Essential
HP Product Detection
HP PSC & OfficeJet 4.2
HP Update
hpmdtab
HPSystemDiagnostics
HTML Slideshow Powertoy for Windows XP
Image Converter 2
Image Resizer Powertoy for Windows XP
ImgBurn
InstantShare
Intel® Network Connections Drivers
InterVideo WinDVD for VAIO
ISScript
iTunes
Jasc Paint Shop Pro 8
Java™ 6 Update 13
Learn2 Player (Uninstall Only)
LimeWire 4.18.3
Linksys Bi-Admin
Magnifier Powertoy for Windows XP
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliPoint 5.3
Microsoft IntelliType Pro 5.3
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office PowerPoint 2003 Template Creation Wizard
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office Small Business Edition 2003
Microsoft Office Sounds
Microsoft Office Standard Edition 2003
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft Producer for Microsoft Office PowerPoint 2003
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
MobileMe Control Panel
MoodLogic
Movielink eHome version 1.1
Moyea FLV Downloader version 1.13.0.10
Moyea FLV Player version 1.3.2.3
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
My DSC
NVIDIA Drivers
NVIDIA WDM Drivers
OLYMPUS CAMEDIA Master 4.1
OLYMPUS Master 2
OLYMPUS muvee theaterPack
Online Armor 3.0
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Metadata Extractor for Windows Media Player
OpenMG Secure Module 4.1.00
Overland
PhoTags Express
Photo Viewer S2.5
PhotoGallery
PictureGear Studio 2.0
Pinnacle Hollywood FX
Pinnacle Instant DVD Recorder
PixiePack Codec Pack
Print Server Driver
PrintScreen
proDAD Heroglyph 2.5
proDAD Vitascene 1.0
ProductContext
QFolder
Quicken 2007
QuickProjects
QuickTime
Readme
RealPlayer Basic
Realtek High Definition Audio Driver
Scan
SDFormatter
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Shockwave
Showoff Home Design 1.0
SigmaTel MSCN Audio Player
SkinsHP1
SkinsHP2
Slideshow Generator Powertoy for Windows XP
Sonic Encoders
Sonic RecordNow!
SonicStage 3.0
SonicStage Mastering Studio Audio Filter Custom Preset
Sony Certificate PCH
Sony Download Taxi 1.5.0.0
Sony MP4 Shared Library
Sony TV Tuner Library 1.0
Sony Video Shared Library
Sound Effects
Spy Sweeper Core
Studio 11
Studio 11 Bonus DVD
Studio 9
Studio 9 Content CD/DVD
Studio Ultimate
The Print Shop 20
Timershot Powertoy for Windows XP
TrayApp
Tune Transfer
Turbo Lister 2
U3Launcher
Uniblue RegistryBooster 2
Uniblue System Tweaker
Unload
USB Driver Vers. 3.2
VAIO Control Center
VAIO Entertainment Platform
VAIO Media 4.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 4.1
VAIO Media Redistribution 4.0
VAIO Media Registration Tool 4.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Motion SD Wide Contents
VAIO Registration
VAIO Structure Wallpaper
VAIO Survey Standalone
VAIO TV Tuner Library 1.4
VAIO Update 3
Virtual Desktop Manager Powertoy for Windows XP
Vuze
WD Diagnostics
WebFldrs XP
WebReg
Webroot AntiVirus with AntiSpyware
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB890629
Windows XP Service Pack 3
XPMedic
Yahoo! Desktop Login

Thanks,
Sheila

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:55 PM

Posted 06 April 2009 - 10:46 AM

I am sorry to have left you hanging this weekend. My local area had an internet blackout. Hopefully this is the last problem I will be having for a long while.

Sorry for any inconvenience.

Well combofix did manage to remove some malware. How is your computer running now?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 April 2009 - 12:19 PM

Hoov,

Still having issues: slowing loading (but not consistent), black screen and need to reboot, missing internet options, etc...)

Thanks,
Sheila

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:55 PM

Posted 06 April 2009 - 02:15 PM

I need you to go to the administration tools in XP. They are in the Control Panel. Open the Admin tools, then open the event viewer. Over on the left hand side and click on System. Then up at the top click on Action and then click on Save Events As, type in system as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Over on the left hand side and click on Application. Then up at the top click on Action and then click on Save Events As, type in application as the file name, make sure file type EVT is selected, and then navigate so it will save the file to your desktop, then click save. Zip them both up into a single zip file, post them back here in your next reply as attachments.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 smm

smm
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 06 April 2009 - 03:52 PM

Hoov,

The event logs are attached. They are not pretty... How could these warnings happen without my firewall notifying me?

Thanks,

Sheila

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users