Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo/Conhook Trojan Removal [RESOLVED]


  • This topic is locked This topic is locked

#1
NinjaShives

NinjaShives

    New Member

  • Member
  • Pip
  • 6 posts
Hi, I'm new here and want to thank you for all the great resources you have put up here. Everything has been a great help! However, I could use some help making sure that my system is clean of the Vundo and Conhook trojans. I've been having trouble getting rid of them permanently. I think I've gotten most of it though. I used VundoFix once and it seemed to work but then Conhook came back. After that VundoFix would find malicious files but wouldn't remove them (it would freeze while trying). VirtumondoBeGone did not find anything when I ran it in safe mode. I've run Malwarebytes (it found some files and successfully removed them), SuperAntiSpyware (it didn't find anything), and Panda ActiveScan (found a couple files). My system seems to be running much better but it does still seem a little slow so I want to be sure it's all gone. Thanks in advance and I couldn't have gotten this far without your site!!

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:31 PM, on 7/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\VirusScan\shstat.exe
C:\Program Files\Common Framework\UdaterUI.exe
C:\Program Files\WinAMP\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Common Framework\McTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B2DEA4A-9B3C-4490-8080-C7581D0BA5C3} - (no file)
O2 - BHO: (no name) - {0BCE935F-679A-4B2F-AAC1-DA2CCE723789} - (no file)
O2 - BHO: (no name) - {13528DFC-3A4F-446A-B093-29F3DF7E6908} - (no file)
O2 - BHO: (no name) - {31D3F1F2-6EA2-4663-85B1-13E38BAF8FCB} - (no file)
O2 - BHO: (no name) - {3F507635-372E-420D-94F7-782D8F2162B9} - (no file)
O2 - BHO: (no name) - {41B27836-1C7A-4398-8708-4FB3429D5C46} - (no file)
O2 - BHO: (no name) - {71BE289A-CCEE-4E70-86BF-08A3193E617E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {85041324-FDA5-4672-9CFD-A8C188DDBF98} - (no file)
O2 - BHO: (no name) - {8D807E25-8F21-42A8-AA3C-1C6AD888F47B} - (no file)
O2 - BHO: (no name) - {C46D92D5-0913-4736-9C96-4429DF0D8E36} - (no file)
O2 - BHO: (no name) - {E544D63B-483B-41ED-94D1-F3B1C5D0ADEF} - (no file)
O2 - BHO: (no name) - …7F - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AppMon Utility] "C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe" @@@Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" 1
O4 - HKLM\..\Run: [VAIO Help and Support Demo] "C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe"
O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe"
O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe"
O4 - HKLM\..\Run: [VAIOSurvey] "C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\WinAMP\winampa.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AOL DDI.lnk = C:\DDI\AOLICON.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\Flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\Flashget.exe
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\AdAware\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\VirusScan\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\stacsv.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11512 bytes

Here are my Malwarebytes logs (I ran it twice):

Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 6.0.6001 Service Pack 1

11:34:06 PM 7/1/2008
mbam-log-7-1-2008 (23-34-06).txt

Scan type: Quick Scan
Objects scanned: 36603
Time elapsed: 2 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\fccyyYqo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\rfcmljfg.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3e7773c8-9cf1-4ccf-aa1f-6ec0f9c5eb2a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3e7773c8-9cf1-4ccf-aa1f-6ec0f9c5eb2a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\585f84ac (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{53fe12c2-4429-488f-847b-7b285f8f6778} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccyyyqo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccyyyqo -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\fccyyYqo.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\oqYyyccf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\oqYyyccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rfcmljfg.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\gfjlmcfr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\R. Shively\AppData\Local\Temp\hptreyyo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 6.0.6001 Service Pack 1

6:42:34 PM 7/2/2008
mbam-log-7-2-2008 (18-42-34).txt

Scan type: Quick Scan
Objects scanned: 36382
Time elapsed: 4 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\fccyyYqo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

And here is my ActiveScan log:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-03 07:01:42
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
McAfee VirusScan Enterprise 8.5.0.781 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139535 Application/Processor HackTools No 0 Yes No C:\Users\R. Shively\AppData\Local\Temp\nsb7E09.tmp
00139535 Application/Processor HackTools No 0 Yes No C:\Users\R. Shively\AppData\Local\Temp\nsh2D89.tmp
00139535 Application/Processor HackTools No 0 Yes No C:\Users\R. Shively\AppData\Local\Temp\nsq287A.tmp
00139535 Application/Processor HackTools No 0 No No C:\Users\R. Shively\Desktop\Trojan Removal\VirtumundoBeGone.exe[²ƒĒ]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Users\R. Shively\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\R. Shively\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Users\R. Shively\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
00519333 Application/Processor HackTools No 0 Yes No C:\Users\R. Shively\Desktop\Trojan Removal\VirtumundoBeGone.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location �̞�h�v
3
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description �̞�h�v
3
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello, welcome to Geekstogo.. Please do the following....



Please read my post CAREFULLY before proceed with this step. Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.
For more information regarding this download, please visit this webpage

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Please go HERE to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: DO NOT mouseclick combofix's window while it's running. That may cause it to stall**


Regards
fenzodahl512
  • 0

#3
NinjaShives

NinjaShives

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for the response! I was a little nervous running ComboFix but it worked fine. Here is the log:

ComboFix 08-07-03.5 - R. Shively 2008-07-04 15:13:29.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1954 [GMT -4:00]
Running from: C:\Users\R. Shively\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\brhfkbnk.ini
C:\Windows\system32\caqfnmse.ini
C:\Windows\system32\cgjytcpl.ini
C:\Windows\system32\fsiyncla.ini
C:\Windows\system32\gffaphrb.ini
C:\Windows\system32\ghadlasx.ini
C:\Windows\system32\gxjcoghe.ini
C:\Windows\system32\hnydvudx.ini
C:\Windows\system32\imovmbui.ini
C:\Windows\system32\lwbsukgm.ini
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\miswoukl.ini
C:\Windows\system32\mmawhpel.ini
C:\Windows\system32\nflihjvd.ini
C:\Windows\system32\nyticnrk.ini
C:\Windows\system32\pbifpghc.ini
C:\Windows\system32\rgmqxvpo.ini
C:\Windows\system32\uqbxkbpg.ini
C:\Windows\system32\wdwqibpd.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 )))))))))))))))))))))))))))))))
.

2008-07-03 22:18 . 2008-07-03 22:18 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-03 22:18 . 2008-07-03 22:18 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-07-02 21:42 . 2008-07-02 21:42 <DIR> d-------- C:\Program Files\Panda Security
2008-07-01 23:44 . 2008-07-01 23:44 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\SUPERAntiSpyware.com
2008-07-01 23:44 . 2008-07-01 23:44 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-07-01 23:44 . 2008-07-01 23:44 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-07-01 23:44 . 2008-07-02 19:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Malwarebytes
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-01 23:29 . 2008-06-28 14:16 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-07-01 23:29 . 2008-06-28 14:16 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-01 23:28 . 2008-07-01 23:28 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Download Manager
2008-07-01 23:06 . 2008-07-03 14:26 <DIR> d-------- C:\VundoFix Backups
2008-06-28 09:46 . 2008-06-28 09:46 0 --a------ C:\OrbPVR.db
2008-06-27 23:05 . 2008-06-27 23:05 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-06-27 22:32 . 2008-06-27 22:32 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-06-17 19:34 . 2008-06-17 19:34 <DIR> d-------- C:\PerfLogs
2008-06-14 23:31 . 2008-06-15 02:04 <DIR> d-------- C:\QUARANTINE
2008-06-14 23:28 . 2008-06-14 23:28 <DIR> d-------- C:\Users\All Users\McAfee
2008-06-14 23:28 . 2008-06-14 23:28 <DIR> d-------- C:\ProgramData\McAfee
2008-06-14 23:28 . 2008-06-14 23:30 <DIR> d-------- C:\Program Files\Common Framework
2008-06-14 23:28 . 2008-06-14 23:28 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-06-14 23:28 . 2006-12-19 15:06 1,495,552 --a------ C:\Windows\System32\epoPGPsdk.dll
2008-06-14 23:28 . 2006-12-19 15:06 280 --a------ C:\Windows\System32\epoPGPsdk.dll.sig
2008-06-14 23:27 . 2008-06-14 23:27 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-14 23:27 . 2007-02-22 20:50 170,408 --a------ C:\Windows\System32\drivers\mfehidk.sys
2008-06-14 23:27 . 2006-11-30 08:50 72,264 --a------ C:\Windows\System32\drivers\mfeavfk.sys
2008-06-14 23:27 . 2006-11-30 08:50 64,360 --a------ C:\Windows\System32\drivers\mfeapfk.sys
2008-06-14 23:27 . 2006-11-30 08:50 52,136 --a------ C:\Windows\System32\drivers\mfetdik.sys
2008-06-14 23:27 . 2006-11-30 08:50 34,152 --a------ C:\Windows\System32\drivers\mfebopk.sys
2008-06-14 23:23 . 2008-06-14 23:29 <DIR> d-------- C:\Program Files\VirusScan
2008-06-14 23:21 . 2007-10-26 20:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-06-14 23:21 . 2007-10-26 20:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-06-14 23:21 . 2007-10-26 20:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-06-14 23:21 . 2007-10-26 20:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-06-14 23:21 . 2007-10-26 20:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-06-14 23:21 . 2007-10-26 20:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-06-14 23:19 . 2008-06-27 21:31 1,120 --a------ C:\Windows\wininit.ini
2008-06-14 23:15 . 2007-10-26 20:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-06-14 23:09 . 2008-06-15 22:47 <DIR> d-------- C:\Program Files\DVMSToolbox
2008-06-14 22:37 . 2008-06-14 22:37 356,352 --a------ C:\Windows\eSellerateEngine.dll
2008-06-14 21:04 . 2008-06-14 21:04 <DIR> d-------- C:\Temp\Sony Corporation
2008-06-14 21:04 . 2008-06-14 21:04 <DIR> d-------- C:\Temp
2008-06-14 09:56 . 2008-06-14 10:03 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Corel
2008-06-14 09:56 . 2008-06-14 09:56 <DIR> d-------- C:\Users\Administrator\Documents
2008-06-14 09:56 . 2008-06-14 09:56 <DIR> d-------- C:\Users\Administrator
2008-06-14 09:56 . 2008-06-14 09:59 3,140 --ahs---- C:\Windows\System32\KGyGaAvL.sys
2008-06-14 09:56 . 2008-06-14 09:56 88 -r-hs---- C:\Windows\System32\2661629778.sys
2008-06-14 09:51 . 2008-06-14 09:51 <DIR> d-------- C:\VAIO Entertainment
2008-06-13 23:15 . 2008-06-13 23:15 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\ArcSoft
2008-06-13 23:13 . 2008-06-27 20:12 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\skypePM
2008-06-13 23:13 . 2008-06-13 23:13 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-06-13 23:12 . 2008-06-27 20:33 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Skype
2008-06-13 23:12 . 2008-06-13 23:12 <DIR> d-------- C:\Users\All Users\Skype
2008-06-13 23:12 . 2008-06-13 23:12 <DIR> d-------- C:\ProgramData\Skype
2008-06-13 23:12 . 2008-06-13 23:12 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-13 23:11 . 2008-06-13 23:12 <DIR> d-------- C:\Program Files\Skype
2008-06-13 18:43 . 2008-06-13 19:10 <DIR> d-------- C:\Windows\LMIB9FC.tmp
2008-06-13 17:37 . 2008-04-23 00:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-13 17:37 . 2008-04-23 00:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-13 17:37 . 2008-04-23 00:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-13 17:37 . 2008-01-19 03:33 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-13 17:37 . 2008-01-19 03:33 69,632 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-13 17:36 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-11 07:00 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 07:00 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-11 07:00 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 07:00 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-09 21:25 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-06-09 21:24 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-06-09 21:23 . 2008-01-19 03:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 19:11 --------- d---a-w C:\ProgramData\TEMP
2008-07-02 03:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 03:28 --------- d-----w C:\Program Files\Java
2008-06-30 02:40 --------- d-----w C:\Users\R. Shively\AppData\Roaming\uTorrent
2008-06-28 01:43 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-25 00:48 --------- d-----w C:\Program Files\FlashGet
2008-06-21 14:16 27,810 ----a-w C:\Users\R. Shively\AppData\Roaming\nvModes.dat
2008-06-21 13:22 --------- d-----w C:\ProgramData\Symantec
2008-06-21 13:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-19 23:51 --------- d-----w C:\Program Files\WinAMP
2008-06-19 00:17 --------- d-----w C:\Users\R. Shively\AppData\Roaming\WinAMP
2008-06-18 23:11 --------- d-----w C:\Program Files\Mozilla
2008-06-17 23:52 --------- d-----w C:\ProgramData\NVIDIA
2008-06-17 23:48 174 --sha-w C:\Program Files\desktop.ini
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Mail
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Journal
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Defender
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Calendar
2008-06-17 23:17 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-17 23:17 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-15 03:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-15 02:41 --------- d-----w C:\Program Files\Codecs
2008-06-15 02:34 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Sony Corporation
2008-06-15 01:04 --------- d-----w C:\ProgramData\Sony Corporation
2008-06-13 23:01 --------- d-----w C:\Program Files\Norton 360
2008-06-13 01:46 --------- d-----w C:\Program Files\SpyBlaster
2008-06-09 03:13 --------- d-----w C:\Program Files\AdAware
2008-06-03 22:43 --------- d-----w C:\Users\R. Shively\AppData\Roaming\TMNT
2008-06-03 22:41 108,144 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-06-03 22:41 --------- d-----r C:\Users\R. Shively\AppData\Roaming\SecuROM
2008-06-03 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 00:42 --------- d-----w C:\Users\R. Shively\AppData\Roaming\InterVideo
2008-05-31 21:05 --------- d-----w C:\Users\R. Shively\AppData\Roaming\FlashGet
2008-05-31 18:16 32,832 ----a-w C:\Windows\System32\zlib1.zip
2008-05-31 07:35 --------- d-----w C:\ProgramData\AOL OCP
2008-05-31 07:34 --------- d-----w C:\Users\R. Shively\AppData\Roaming\acccore
2008-05-31 07:34 --------- d-----w C:\ProgramData\Viewpoint
2008-05-31 07:34 --------- d-----w C:\ProgramData\AOL
2008-05-31 07:34 --------- d-----w C:\Program Files\Viewpoint
2008-05-31 07:34 --------- d-----w C:\Program Files\AIM6
2008-05-31 07:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-31 04:07 --------- d-----w C:\Program Files\VistaCodecPack
2008-05-31 04:06 --------- d-----w C:\ProgramData\VistaCodecs
2008-05-31 03:00 --------- d-----w C:\ProgramData\FLEXnet
2008-05-31 02:37 --------- d-----w C:\Users\R. Shively\AppData\Roaming\SystemRequirementsLab
2008-05-30 22:48 --------- d-----w C:\Users\R. Shively\AppData\Roaming\TMNT Demo
2008-05-30 10:49 988,216 ----a-w C:\Windows\System32\winload.exe
2008-05-30 10:49 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-05-30 10:49 615,992 ----a-w C:\Windows\System32\ci.dll
2008-05-30 10:49 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-05-30 10:49 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-05-30 10:49 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-05-30 10:49 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-05-30 10:49 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-05-30 10:49 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-05-30 10:49 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-05-30 04:36 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Roxio
2008-05-30 04:36 --------- d-----w C:\ProgramData\Roxio
2008-05-30 04:35 --------- d-----w C:\ProgramData\Sonic
2008-05-30 04:25 --------- d-----w C:\Program Files\DAEMON
2008-05-30 04:20 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-05-30 04:19 --------- d-----w C:\Users\R. Shively\AppData\Roaming\DAEMON Tools
2008-05-30 02:41 --------- d-----w C:\Users\R. Shively\AppData\Roaming\vlc
2008-05-30 02:39 --------- d-----w C:\Program Files\VLC
2008-05-30 02:34 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Crystal Player
2008-05-30 02:14 --------- d-----w C:\Program Files\Sony
2008-05-30 02:09 --------- d-----w C:\Users\R. Shively\AppData\Roaming\InstallShield
2008-05-30 01:33 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-30 01:33 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-30 01:32 --------- d-----w C:\Program Files\Microsoft Works
2008-05-30 01:28 --------- d-----w C:\Program Files\Microsoft Small Business
2008-05-30 01:26 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-30 01:11 --------- d-----w C:\Program Files\Utorrent
2008-05-29 04:17 737,280 ----a-w C:\Windows\iun6002.exe
2008-05-29 03:26 --------- d-----w C:\ProgramData\Lavasoft
2008-05-29 03:06 --------- d-----w C:\Program Files\SpyBot
2008-05-29 02:36 --------- d-----w C:\Program Files\CDisplay
2008-05-29 02:35 --------- d-----w C:\Program Files\Ares
2008-05-29 01:58 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Talkback
2008-05-29 00:47 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Symantec
2008-05-29 00:23 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-05-29 00:23 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-05-29 00:22 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-29 00:22 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-05-29 00:22 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-29 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-05-29 00:22 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-05-29 00:22 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-05-29 00:22 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-05-29 00:16 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Webroot
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Templates
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Start Menu
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Favorites
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Documents
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Desktop
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Application Data
2008-05-16 15:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-10-05 20:03 303104 --a------ C:\DDI\overicon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-06-03 15:08 21718312]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-07-02 19:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppMon Utility"="C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe" [2007-09-20 20:52 542560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-09-06 19:38 53248]
"VAIO Help and Support Demo"="C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe" [2007-08-27 20:54 290816]
"VAIORegistration"="C:\Program Files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 18:40 20480]
"VWLASU"="C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe" [2007-10-12 20:29 45056]
"VAIOSurvey"="C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe" [2007-07-20 19:30 577536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\VirusScan\SHSTAT.EXE" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 20:13 8497696]
"WinampAgent"="C:\Program Files\WinAMP\winampa.exe" [2008-04-01 14:49 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"FilterAdministratorToken"= 1 (0x1)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-02 19:33 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-02 19:33 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 00:05 98304 C:\Windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\Program Files\Common Files\Sony Shared\VideoLib\sonydv.dll
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{21A02309-433A-421F-8F4D-B5DF6431FAA2}"= UDP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{F9DA8037-E39D-40EB-8E15-FAE60915B135}"= TCP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{C065FF53-E62E-4FCA-94B7-8753F2D2D042}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{E71B1582-2948-4262-9EB8-53723CDA61A7}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{D0191166-03AF-40E2-8898-4FB00DD06921}"= UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{9FDC2C5E-ADC7-455E-8736-A51EDC676CB9}"= TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{73779FDD-742E-4019-B9AD-79823B3832FC}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{AB60B2E8-B8D5-4E42-9E6E-17F3D90B6651}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{2705C086-AF38-409A-9C53-E8A2F7D8BEA6}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{838624EF-BEA9-4BBA-91FC-CF8B27429618}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{62B93DEF-CD65-41B3-8D07-08DBD8F889B0}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{928851EA-3F8B-496B-BB4C-85ED5B68CB4D}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{B9678CC5-7619-4556-8781-2A52CB712C18}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{06909D07-0B9D-40A4-A9AA-0617BF798E0B}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1A1F40B6-D911-4111-9459-FBE5F9A56382}"= UDP:C:\Program Files\Utorrent\utorrent.exe:µTorrent
"{19D8135C-4940-4EF2-94E4-8CDC16A9CFF9}"= TCP:C:\Program Files\Utorrent\utorrent.exe:µTorrent
"TCP Query User{E584B590-B42F-4375-B0AE-54D8DC37A325}C:\\program files\\winamp remote\\bin\\orb.exe"= UDP:C:\program files\winamp remote\bin\orb.exe:Orb Application
"UDP Query User{E68F66E0-08C3-4659-B4A9-A7044A3DBA9A}C:\\program files\\winamp remote\\bin\\orb.exe"= TCP:C:\program files\winamp remote\bin\orb.exe:Orb Application
"TCP Query User{BAFD8B43-721C-445A-9AC8-ACE8B2AAB2E0}C:\\program files\\winamp remote\\bin\\orbir.exe"= UDP:C:\program files\winamp remote\bin\orbir.exe:OrbIR
"UDP Query User{3F15D87F-3F23-40BB-8867-35791A20FB4C}C:\\program files\\winamp remote\\bin\\orbir.exe"= TCP:C:\program files\winamp remote\bin\orbir.exe:OrbIR
"TCP Query User{ABB1B01D-9249-4D19-9A66-73A35E87EDA4}C:\\program files\\vongo\\vongotray.exe"= UDP:C:\program files\vongo\vongotray.exe:StarzTray
"UDP Query User{A1144E99-DBE1-4780-AEE4-AA19D09EB0DA}C:\\program files\\vongo\\vongotray.exe"= TCP:C:\program files\vongo\vongotray.exe:StarzTray
"{EE8990F3-1AC0-43FC-9FF2-1E8E780C67D7}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3CBAA899-CFFD-461C-A7C3-36E60AE23F79}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2CC0FE79-B29C-4B83-905C-DE64762C21ED}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{FBD6347F-5D04-41E4-8C88-0E3135EDBB58}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{C43F32DC-8B8D-4E05-BAAF-1A623A6332E2}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{62A1DAA7-9CA5-4FD8-96D0-9476A3EFC6BF}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{4677158F-32B5-44DA-AF09-BE1C7FD6DDC3}C:\\program files\\mozilla\\flashget\\flashget.exe"= UDP:C:\program files\mozilla\flashget\flashget.exe:FlashGet
"UDP Query User{02332439-90EF-4300-BFAC-78816A3188A0}C:\\program files\\mozilla\\flashget\\flashget.exe"= TCP:C:\program files\mozilla\flashget\flashget.exe:FlashGet
"TCP Query User{E60A7870-3687-4044-843C-8CC2D2DFD3E8}C:\\program files\\mozilla\\firefox.exe"= UDP:C:\program files\mozilla\firefox.exe:Firefox
"UDP Query User{86242FA1-C804-48BB-BA1E-01694B19CB78}C:\\program files\\mozilla\\firefox.exe"= TCP:C:\program files\mozilla\firefox.exe:Firefox
"TCP Query User{FFBFFB0B-644D-4C74-A1CE-53D56A285849}C:\\windows\\lmib9fc.tmp\\lmi_rescue.exe"= UDP:C:\windows\lmib9fc.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{6BF9BEDE-BE1A-4E1E-BE90-BAB2BBEA23DE}C:\\windows\\lmib9fc.tmp\\lmi_rescue.exe"= TCP:C:\windows\lmib9fc.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{2670201C-63E6-4661-BA9D-8D44D6896AB0}C:\\windows\\ehome\\ehexthost.exe"= UDP:C:\windows\ehome\ehexthost.exe:Media Center Extensibility Host
"UDP Query User{517BAF80-6E6C-4FBB-80ED-F8DB42B4B6BB}C:\\windows\\ehome\\ehexthost.exe"= TCP:C:\windows\ehome\ehexthost.exe:Media Center Extensibility Host
"{7069B814-919D-461D-86CC-573E77D0B823}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{B053FB2D-0F41-4DB2-8B41-5C61E2BB2962}"= UDP:C:\Program Files\Common Framework\FrameworkService.exe:McAfee Framework Service
"{08C457ED-6D03-4A32-BC4D-984AF87BFE75}"= TCP:C:\Program Files\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{CCBEC2E6-E690-40C4-B054-1BD5B74B1713}C:\\program files\\vongo\\vongo.exe"= Disabled:UDP:C:\program files\vongo\vongo.exe:Vongo
"UDP Query User{A9AEEB2A-C19F-49DC-BACF-953173DE1057}C:\\program files\\vongo\\vongo.exe"= Disabled:TCP:C:\program files\vongo\vongo.exe:Vongo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 NSUService;NSUService;"C:\Program Files\Sony\Network Utility\NSUService.exe" [2007-11-26 14:50]
R2 regi;regi;C:\Windows\system32\drivers\regi.sys [2007-04-18 00:09]
R2 uCamMonitor;CamMonitor;C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe [2007-10-31 13:40]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2007-09-29 01:11]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2007-10-29 23:30]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;C:\Windows\system32\Drivers\R5U870FLx86.sys [2007-11-07 23:04]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;C:\Windows\system32\Drivers\R5U870FUx86.sys [2007-11-07 23:04]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys [2007-08-28 21:58]
R3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-06-05 20:00]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-19 20:11]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 20:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-09 04:51]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2007-09-20 22:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 03:11:52 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\SpyBot\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0B2DEA4A-9B3C-4490-8080-C7581D0BA5C3} - (no file)
BHO-{0BCE935F-679A-4B2F-AAC1-DA2CCE723789} - (no file)
BHO-{13528DFC-3A4F-446A-B093-29F3DF7E6908} - (no file)
BHO-{31D3F1F2-6EA2-4663-85B1-13E38BAF8FCB} - (no file)
BHO-{3F507635-372E-420D-94F7-782D8F2162B9} - (no file)
BHO-{41B27836-1C7A-4398-8708-4FB3429D5C46} - (no file)
BHO-{71BE289A-CCEE-4E70-86BF-08A3193E617E} - (no file)
BHO-{85041324-FDA5-4672-9CFD-A8C188DDBF98} - (no file)
BHO-{8D807E25-8F21-42A8-AA3C-1C6AD888F47B} - (no file)
BHO-{C46D92D5-0913-4736-9C96-4429DF0D8E36} - (no file)
BHO-{E544D63B-483B-41ED-94D1-F3B1C5D0ADEF} - (no file)
HKCU-Run-Aim6 - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-04 15:19:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\NetworkExplorer.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\AdAware\aawservice.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Framework\FrameworkService.exe
C:\Program Files\VirusScan\mcshield.exe
C:\Program Files\VirusScan\vstskmgr.exe
C:\Program Files\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Common Framework\Mctray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehrecvr.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-07-04 15:24:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-04 19:23:59

Pre-Run: 313,133,461,504 bytes free
Post-Run: 314,747,277,312 bytes free

388 --- E O F --- 2008-06-25 07:01:02

And here is my new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:42:14 PM, on 7/4/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\VirusScan\shstat.exe
C:\Program Files\Common Framework\UdaterUI.exe
C:\Program Files\WinAMP\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Common Framework\McTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - …7F - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AppMon Utility] "C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe" @@@Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" 1
O4 - HKLM\..\Run: [VAIO Help and Support Demo] "C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe"
O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe"
O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe"
O4 - HKLM\..\Run: [VAIOSurvey] "C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\WinAMP\winampa.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AOL DDI.lnk = C:\DDI\AOLICON.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\Flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\Flashget.exe
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\AdAware\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\VirusScan\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\stacsv.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10231 bytes

So, am I clean yet? Thanks for your help, I really appreciate it!
  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Wow.. That's great...


Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Also tell me about your computer condition....
  • 0

#5
NinjaShives

NinjaShives

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well, before I was having problems with windows explorer as it would stop responding and would restart itself. And of course I had the popups in IE with the usual your computer is infected screens. That alerted me to the fact that I had Vundo. I haven't had either of those problems since using vundofix, malwarebytes, and now combofix. I'm hoping Vundo is now completely gone from my system. The only issue I have now is my system being slow and sometimes goes to a black screen that I can't get out of so I have to do a hard reset. This only happens if I am running something and leave it to go into standby. My memory usage is typically between 30 and 40% if I'm not doing anything, which seems high. My CPU usage is normal though. I did have a blue screen error at one point but it flashed too fast for me to see the error. It didn't seem to have any lasting effects though... I just want to make sure I'm clean of any malicious files. I can deal with my system being a little slow if need be.

I'm running the Kaspersky scan now and it looks like it is going to take awhile so I'll get back to you with the report later. Let me know if you need anymore info and thanks again!
  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts

Well, before I was having problems with windows explorer as it would stop responding and would restart itself. And of course I had the popups in IE with the usual your computer is infected screens. That alerted me to the fact that I had Vundo. I haven't had either of those problems since using vundofix, malwarebytes, and now combofix. I'm hoping Vundo is now completely gone from my system. The only issue I have now is my system being slow and sometimes goes to a black screen that I can't get out of so I have to do a hard reset. This only happens if I am running something and leave it to go into standby. My memory usage is typically between 30 and 40% if I'm not doing anything, which seems high. My CPU usage is normal though. I did have a blue screen error at one point but it flashed too fast for me to see the error. It didn't seem to have any lasting effects though... I just want to make sure I'm clean of any malicious files. I can deal with my system being a little slow if need be.

I'm running the Kaspersky scan now and it looks like it is going to take awhile so I'll get back to you with the report later. Let me know if you need anymore info and thanks again!



All right.. Will wait for your log... :)
  • 0

#7
NinjaShives

NinjaShives

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay, here's my Kaspersky log... looks like I picked up something else. Is there an easy way to get rid of it?

Friday, July 4, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 04, 2008 20:42:32
Records in database: 913699
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 113223
Threat name 1
Infected objects 2
Suspicious objects 0
Duration of the scan 04:03:03

File name Threat name Threats count
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0d2e8f2f\Report.cab Infected: Trojan.Win32.Monder.gen 1
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0dc008c5\Report.cab Infected: Trojan.Win32.Monder.gen 1
The selected area was scanned.
  • 0

#8
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0d2e8f2f\Report.cab
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0dc008c5\Report.cab

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log
  • [b]Tell me about your computer behaviour now.

  • 0

#9
NinjaShives

NinjaShives

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
That seemed to work! I can see a slight increase in performance and I haven't had any black screen trouble for awhile now. Thanks! How do my logs look?

Here's Combofix:

ComboFix 08-07-03.5 - R. Shively 2008-07-05 10:09:19.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2151 [GMT -4:00]
Running from: C:\Users\R. Shively\Desktop\ComboFix.exe
Command switches used :: C:\Users\R. Shively\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0d2e8f2f\Report.cab
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0dc008c5\Report.cab
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0d2e8f2f\Report.cab
C:\Users\R. Shively\AppData\Local\Microsoft\Windows\WER\ReportArchive\Report0dc008c5\Report.cab

.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05 )))))))))))))))))))))))))))))))
.

2008-07-04 15:30 . 2008-07-04 15:30 320,079,877 --a------ C:\Windows\MEMORY.DMP
2008-07-03 22:18 . 2008-07-03 22:18 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-07-03 22:18 . 2008-07-03 22:18 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-07-02 21:42 . 2008-07-04 15:39 <DIR> d-------- C:\Program Files\Panda Security
2008-07-01 23:44 . 2008-07-04 15:37 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\SUPERAntiSpyware.com
2008-07-01 23:44 . 2008-07-01 23:44 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-07-01 23:44 . 2008-07-01 23:44 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-07-01 23:44 . 2008-07-02 19:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Malwarebytes
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-07-01 23:29 . 2008-07-01 23:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-01 23:29 . 2008-06-28 14:16 34,296 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-07-01 23:29 . 2008-06-28 14:16 17,144 --a------ C:\Windows\System32\drivers\mbam.sys
2008-07-01 23:28 . 2008-07-01 23:28 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Download Manager
2008-07-01 23:06 . 2008-07-03 14:26 <DIR> d-------- C:\VundoFix Backups
2008-06-28 09:46 . 2008-06-28 09:46 0 --a------ C:\OrbPVR.db
2008-06-27 23:05 . 2008-06-27 23:05 24,576 --a------ C:\Windows\System32\VundoFixSVC.exe
2008-06-27 22:32 . 2008-06-27 22:32 <DIR> d-------- C:\Program Files\ProcessExplorer
2008-06-17 19:34 . 2008-06-17 19:34 <DIR> d-------- C:\PerfLogs
2008-06-14 23:31 . 2008-06-15 02:04 <DIR> d-------- C:\QUARANTINE
2008-06-14 23:28 . 2008-06-14 23:28 <DIR> d-------- C:\Users\All Users\McAfee
2008-06-14 23:28 . 2008-06-14 23:28 <DIR> d-------- C:\ProgramData\McAfee
2008-06-14 23:28 . 2008-06-14 23:30 <DIR> d-------- C:\Program Files\Common Framework
2008-06-14 23:28 . 2008-06-14 23:28 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-06-14 23:28 . 2006-12-19 15:06 1,495,552 --a------ C:\Windows\System32\epoPGPsdk.dll
2008-06-14 23:28 . 2006-12-19 15:06 280 --a------ C:\Windows\System32\epoPGPsdk.dll.sig
2008-06-14 23:27 . 2008-06-14 23:27 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-06-14 23:27 . 2007-02-22 20:50 170,408 --a------ C:\Windows\System32\drivers\mfehidk.sys
2008-06-14 23:27 . 2006-11-30 08:50 72,264 --a------ C:\Windows\System32\drivers\mfeavfk.sys
2008-06-14 23:27 . 2006-11-30 08:50 64,360 --a------ C:\Windows\System32\drivers\mfeapfk.sys
2008-06-14 23:27 . 2006-11-30 08:50 52,136 --a------ C:\Windows\System32\drivers\mfetdik.sys
2008-06-14 23:27 . 2006-11-30 08:50 34,152 --a------ C:\Windows\System32\drivers\mfebopk.sys
2008-06-14 23:23 . 2008-06-14 23:29 <DIR> d-------- C:\Program Files\VirusScan
2008-06-14 23:21 . 2007-10-26 20:46 779,800 --a------ C:\Windows\System32\PresentationNative_v0300.dll
2008-06-14 23:21 . 2007-10-26 20:46 579,584 --a------ C:\Windows\System32\icardagt.exe
2008-06-14 23:21 . 2007-10-26 20:46 350,744 --a------ C:\Windows\System32\PresentationHost.exe
2008-06-14 23:21 . 2007-10-26 20:46 106,520 --a------ C:\Windows\System32\PresentationCFFRasterizerNative_v0300.dll
2008-06-14 23:21 . 2007-10-26 20:46 33,304 --a------ C:\Windows\System32\PresentationHostProxy.dll
2008-06-14 23:21 . 2007-10-26 20:46 11,776 --a------ C:\Windows\System32\icardres.dll
2008-06-14 23:19 . 2008-06-27 21:31 1,120 --a------ C:\Windows\wininit.ini
2008-06-14 23:15 . 2007-10-26 20:46 41,984 --a------ C:\Windows\System32\netfxperf.dll
2008-06-14 23:09 . 2008-06-15 22:47 <DIR> d-------- C:\Program Files\DVMSToolbox
2008-06-14 22:37 . 2008-06-14 22:37 356,352 --a------ C:\Windows\eSellerateEngine.dll
2008-06-14 21:04 . 2008-06-14 21:04 <DIR> d-------- C:\Temp\Sony Corporation
2008-06-14 21:04 . 2008-06-14 21:04 <DIR> d-------- C:\Temp
2008-06-14 09:56 . 2008-06-14 10:03 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Corel
2008-06-14 09:56 . 2008-06-14 09:56 <DIR> d-------- C:\Users\Administrator\Documents
2008-06-14 09:56 . 2008-06-14 09:56 <DIR> d-------- C:\Users\Administrator
2008-06-14 09:56 . 2008-06-14 09:59 3,140 --ahs---- C:\Windows\System32\KGyGaAvL.sys
2008-06-14 09:56 . 2008-06-14 09:56 88 -r-hs---- C:\Windows\System32\2661629778.sys
2008-06-14 09:51 . 2008-06-14 09:51 <DIR> d-------- C:\VAIO Entertainment
2008-06-13 23:15 . 2008-06-13 23:15 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\ArcSoft
2008-06-13 23:13 . 2008-06-27 20:12 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\skypePM
2008-06-13 23:13 . 2008-06-13 23:13 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-06-13 23:12 . 2008-06-27 20:33 <DIR> d-------- C:\Users\R. Shively\AppData\Roaming\Skype
2008-06-13 23:12 . 2008-06-13 23:12 <DIR> d-------- C:\Users\All Users\Skype
2008-06-13 23:12 . 2008-06-13 23:12 <DIR> d-------- C:\ProgramData\Skype
2008-06-13 23:12 . 2008-06-13 23:12 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-13 23:11 . 2008-06-13 23:12 <DIR> d-------- C:\Program Files\Skype
2008-06-13 18:43 . 2008-06-13 19:10 <DIR> d-------- C:\Windows\LMIB9FC.tmp
2008-06-13 17:37 . 2008-04-23 00:42 428,544 --a------ C:\Windows\System32\EncDec.dll
2008-06-13 17:37 . 2008-04-23 00:42 293,376 --a------ C:\Windows\System32\psisdecd.dll
2008-06-13 17:37 . 2008-04-23 00:41 218,624 --a------ C:\Windows\System32\psisrndr.ax
2008-06-13 17:37 . 2008-01-19 03:33 80,896 --a------ C:\Windows\System32\MSNP.ax
2008-06-13 17:37 . 2008-01-19 03:33 69,632 --a------ C:\Windows\System32\Mpeg2Data.ax
2008-06-13 17:36 . 2008-04-23 00:41 57,856 --a------ C:\Windows\System32\MSDvbNP.ax
2008-06-11 07:00 . 2008-04-24 22:12 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-06-11 07:00 . 2008-04-26 04:08 1,314,816 --a------ C:\Windows\System32\quartz.dll
2008-06-11 07:00 . 2008-04-25 00:35 826,880 --a------ C:\Windows\System32\wininet.dll
2008-06-11 07:00 . 2008-05-09 21:33 113,664 --a------ C:\Windows\System32\drivers\rmcast.sys
2008-06-09 21:25 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-06-09 21:24 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-06-09 21:23 . 2008-01-19 03:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-04 19:27 --------- d---a-w C:\ProgramData\TEMP
2008-07-02 03:44 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-30 03:28 --------- d-----w C:\Program Files\Java
2008-06-30 02:40 --------- d-----w C:\Users\R. Shively\AppData\Roaming\uTorrent
2008-06-28 01:43 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-25 00:48 --------- d-----w C:\Program Files\FlashGet
2008-06-21 14:16 27,810 ----a-w C:\Users\R. Shively\AppData\Roaming\nvModes.dat
2008-06-21 13:22 --------- d-----w C:\ProgramData\Symantec
2008-06-21 13:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-19 23:51 --------- d-----w C:\Program Files\WinAMP
2008-06-19 00:17 --------- d-----w C:\Users\R. Shively\AppData\Roaming\WinAMP
2008-06-18 23:11 --------- d-----w C:\Program Files\Mozilla
2008-06-17 23:52 --------- d-----w C:\ProgramData\NVIDIA
2008-06-17 23:48 174 --sha-w C:\Program Files\desktop.ini
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Sidebar
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Mail
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Journal
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Defender
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Collaboration
2008-06-17 23:38 --------- d-----w C:\Program Files\Windows Calendar
2008-06-17 23:17 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-06-17 23:17 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-06-15 03:54 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-15 02:41 --------- d-----w C:\Program Files\Codecs
2008-06-15 02:34 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Sony Corporation
2008-06-15 01:04 --------- d-----w C:\ProgramData\Sony Corporation
2008-06-13 23:01 --------- d-----w C:\Program Files\Norton 360
2008-06-13 01:46 --------- d-----w C:\Program Files\SpyBlaster
2008-06-09 03:13 --------- d-----w C:\Program Files\AdAware
2008-06-03 22:43 --------- d-----w C:\Users\R. Shively\AppData\Roaming\TMNT
2008-06-03 22:41 108,144 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-06-03 22:41 --------- d-----r C:\Users\R. Shively\AppData\Roaming\SecuROM
2008-06-03 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 00:42 --------- d-----w C:\Users\R. Shively\AppData\Roaming\InterVideo
2008-05-31 21:05 --------- d-----w C:\Users\R. Shively\AppData\Roaming\FlashGet
2008-05-31 18:16 32,832 ----a-w C:\Windows\System32\zlib1.zip
2008-05-31 07:35 --------- d-----w C:\ProgramData\AOL OCP
2008-05-31 07:34 --------- d-----w C:\Users\R. Shively\AppData\Roaming\acccore
2008-05-31 07:34 --------- d-----w C:\ProgramData\Viewpoint
2008-05-31 07:34 --------- d-----w C:\ProgramData\AOL
2008-05-31 07:34 --------- d-----w C:\Program Files\Viewpoint
2008-05-31 07:34 --------- d-----w C:\Program Files\AIM6
2008-05-31 07:33 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-31 04:07 --------- d-----w C:\Program Files\VistaCodecPack
2008-05-31 04:06 --------- d-----w C:\ProgramData\VistaCodecs
2008-05-31 03:00 --------- d-----w C:\ProgramData\FLEXnet
2008-05-31 02:37 --------- d-----w C:\Users\R. Shively\AppData\Roaming\SystemRequirementsLab
2008-05-30 22:48 --------- d-----w C:\Users\R. Shively\AppData\Roaming\TMNT Demo
2008-05-30 10:49 988,216 ----a-w C:\Windows\System32\winload.exe
2008-05-30 10:49 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-05-30 10:49 615,992 ----a-w C:\Windows\System32\ci.dll
2008-05-30 10:49 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-05-30 10:49 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-05-30 10:49 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-05-30 10:49 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-05-30 10:49 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-05-30 10:49 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-05-30 10:49 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-05-30 04:36 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Roxio
2008-05-30 04:36 --------- d-----w C:\ProgramData\Roxio
2008-05-30 04:35 --------- d-----w C:\ProgramData\Sonic
2008-05-30 04:25 --------- d-----w C:\Program Files\DAEMON
2008-05-30 04:20 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-05-30 04:19 --------- d-----w C:\Users\R. Shively\AppData\Roaming\DAEMON Tools
2008-05-30 02:41 --------- d-----w C:\Users\R. Shively\AppData\Roaming\vlc
2008-05-30 02:39 --------- d-----w C:\Program Files\VLC
2008-05-30 02:34 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Crystal Player
2008-05-30 02:14 --------- d-----w C:\Program Files\Sony
2008-05-30 02:09 --------- d-----w C:\Users\R. Shively\AppData\Roaming\InstallShield
2008-05-30 01:33 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-30 01:33 --------- d-----w C:\Program Files\Common Files\L&H
2008-05-30 01:32 --------- d-----w C:\Program Files\Microsoft Works
2008-05-30 01:28 --------- d-----w C:\Program Files\Microsoft Small Business
2008-05-30 01:26 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-30 01:11 --------- d-----w C:\Program Files\Utorrent
2008-05-29 04:17 737,280 ----a-w C:\Windows\iun6002.exe
2008-05-29 03:26 --------- d-----w C:\ProgramData\Lavasoft
2008-05-29 03:06 --------- d-----w C:\Program Files\SpyBot
2008-05-29 02:36 --------- d-----w C:\Program Files\CDisplay
2008-05-29 02:35 --------- d-----w C:\Program Files\Ares
2008-05-29 01:58 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Talkback
2008-05-29 00:47 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Symantec
2008-05-29 00:23 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-05-29 00:23 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-05-29 00:22 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-05-29 00:22 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-05-29 00:22 4,240,384 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-29 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-05-29 00:22 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-05-29 00:22 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-05-29 00:22 1,695,744 ----a-w C:\Windows\System32\gameux.dll
2008-05-29 00:16 --------- d-----w C:\Users\R. Shively\AppData\Roaming\Webroot
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Templates
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Start Menu
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Favorites
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Documents
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Desktop
2008-05-29 00:02 --------- d-sh--w C:\ProgramData\Application Data
2008-05-16 15:58 12,632 ----a-w C:\Windows\System32\lsdelete.exe
.

((((((((((((((((((((((((((((( [email protected]_15.23.08.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-04 19:18:53 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-07-05 02:29:59 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-07-04 19:30:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-07-04 19:30:11 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-07-04 19:19:20 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-07-04 19:32:39 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-07-04 19:19:20 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-07-04 19:31:58 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-07-04 04:09:02 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-07-04 19:30:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-07-04 04:09:02 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-04 19:30:40 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-07-04 04:09:02 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-07-04 19:30:40 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-07-04 02:56:06 123,200 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-07-04 19:38:17 123,200 ----a-w C:\Windows\System32\perfc009.dat
- 2008-07-04 02:56:06 653,386 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-07-04 19:38:17 653,386 ----a-w C:\Windows\System32\perfh009.dat
- 2008-07-02 22:36:12 8,606 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3393763136-3156920360-659926913-1003_UserData.bin
+ 2008-07-04 19:32:31 8,778 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3393763136-3156920360-659926913-1003_UserData.bin
- 2008-07-02 22:36:12 76,824 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-07-04 19:32:30 77,082 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-07-04 02:18:15 264,456 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2008-07-05 02:30:09 268,096 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-10-05 20:03 303104 --a------ C:\DDI\overicon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 03:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 03:33 125952]
"DAEMON Tools Lite"="C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-06-03 15:08 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppMon Utility"="C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe" [2007-09-20 20:52 542560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-09-06 19:38 53248]
"VAIO Help and Support Demo"="C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe" [2007-08-27 20:54 290816]
"VAIORegistration"="C:\Program Files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 18:40 20480]
"VWLASU"="C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe" [2007-10-12 20:29 45056]
"VAIOSurvey"="C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe" [2007-07-20 19:30 577536]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\VirusScan\SHSTAT.EXE" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 20:13 8497696]
"WinampAgent"="C:\Program Files\WinAMP\winampa.exe" [2008-04-01 14:49 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"FilterAdministratorToken"= 1 (0x1)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"LogonHoursAction"= 2 (0x2)
"DontDisplayLogonHoursWarnings"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-02 19:33 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-02 19:33 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 00:05 98304 C:\Windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\Program Files\Common Files\Sony Shared\VideoLib\sonydv.dll
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{21A02309-433A-421F-8F4D-B5DF6431FAA2}"= UDP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{F9DA8037-E39D-40EB-8E15-FAE60915B135}"= TCP:C:\Program Files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{C065FF53-E62E-4FCA-94B7-8753F2D2D042}"= Disabled:UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{E71B1582-2948-4262-9EB8-53723CDA61A7}"= Disabled:TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{D0191166-03AF-40E2-8898-4FB00DD06921}"= UDP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{9FDC2C5E-ADC7-455E-8736-A51EDC676CB9}"= TCP:C:\Program Files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{73779FDD-742E-4019-B9AD-79823B3832FC}"= UDP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{AB60B2E8-B8D5-4E42-9E6E-17F3D90B6651}"= TCP:C:\Program Files\Winamp Remote\bin\Orb.exe:Orb
"{2705C086-AF38-409A-9C53-E8A2F7D8BEA6}"= UDP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{838624EF-BEA9-4BBA-91FC-CF8B27429618}"= TCP:C:\Program Files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{62B93DEF-CD65-41B3-8D07-08DBD8F889B0}"= UDP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{928851EA-3F8B-496B-BB4C-85ED5B68CB4D}"= TCP:C:\Program Files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{B9678CC5-7619-4556-8781-2A52CB712C18}"= UDP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{06909D07-0B9D-40A4-A9AA-0617BF798E0B}"= TCP:C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1A1F40B6-D911-4111-9459-FBE5F9A56382}"= UDP:C:\Program Files\Utorrent\utorrent.exe:µTorrent
"{19D8135C-4940-4EF2-94E4-8CDC16A9CFF9}"= TCP:C:\Program Files\Utorrent\utorrent.exe:µTorrent
"TCP Query User{E584B590-B42F-4375-B0AE-54D8DC37A325}C:\\program files\\winamp remote\\bin\\orb.exe"= UDP:C:\program files\winamp remote\bin\orb.exe:Orb Application
"UDP Query User{E68F66E0-08C3-4659-B4A9-A7044A3DBA9A}C:\\program files\\winamp remote\\bin\\orb.exe"= TCP:C:\program files\winamp remote\bin\orb.exe:Orb Application
"TCP Query User{BAFD8B43-721C-445A-9AC8-ACE8B2AAB2E0}C:\\program files\\winamp remote\\bin\\orbir.exe"= UDP:C:\program files\winamp remote\bin\orbir.exe:OrbIR
"UDP Query User{3F15D87F-3F23-40BB-8867-35791A20FB4C}C:\\program files\\winamp remote\\bin\\orbir.exe"= TCP:C:\program files\winamp remote\bin\orbir.exe:OrbIR
"TCP Query User{ABB1B01D-9249-4D19-9A66-73A35E87EDA4}C:\\program files\\vongo\\vongotray.exe"= UDP:C:\program files\vongo\vongotray.exe:StarzTray
"UDP Query User{A1144E99-DBE1-4780-AEE4-AA19D09EB0DA}C:\\program files\\vongo\\vongotray.exe"= TCP:C:\program files\vongo\vongotray.exe:StarzTray
"{EE8990F3-1AC0-43FC-9FF2-1E8E780C67D7}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3CBAA899-CFFD-461C-A7C3-36E60AE23F79}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2CC0FE79-B29C-4B83-905C-DE64762C21ED}"= UDP:C:\Program Files\AIM6\aim6.exe:AIM
"{FBD6347F-5D04-41E4-8C88-0E3135EDBB58}"= TCP:C:\Program Files\AIM6\aim6.exe:AIM
"TCP Query User{C43F32DC-8B8D-4E05-BAAF-1A623A6332E2}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{62A1DAA7-9CA5-4FD8-96D0-9476A3EFC6BF}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{4677158F-32B5-44DA-AF09-BE1C7FD6DDC3}C:\\program files\\mozilla\\flashget\\flashget.exe"= UDP:C:\program files\mozilla\flashget\flashget.exe:FlashGet
"UDP Query User{02332439-90EF-4300-BFAC-78816A3188A0}C:\\program files\\mozilla\\flashget\\flashget.exe"= TCP:C:\program files\mozilla\flashget\flashget.exe:FlashGet
"TCP Query User{E60A7870-3687-4044-843C-8CC2D2DFD3E8}C:\\program files\\mozilla\\firefox.exe"= UDP:C:\program files\mozilla\firefox.exe:Firefox
"UDP Query User{86242FA1-C804-48BB-BA1E-01694B19CB78}C:\\program files\\mozilla\\firefox.exe"= TCP:C:\program files\mozilla\firefox.exe:Firefox
"TCP Query User{FFBFFB0B-644D-4C74-A1CE-53D56A285849}C:\\windows\\lmib9fc.tmp\\lmi_rescue.exe"= UDP:C:\windows\lmib9fc.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{6BF9BEDE-BE1A-4E1E-BE90-BAB2BBEA23DE}C:\\windows\\lmib9fc.tmp\\lmi_rescue.exe"= TCP:C:\windows\lmib9fc.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{2670201C-63E6-4661-BA9D-8D44D6896AB0}C:\\windows\\ehome\\ehexthost.exe"= UDP:C:\windows\ehome\ehexthost.exe:Media Center Extensibility Host
"UDP Query User{517BAF80-6E6C-4FBB-80ED-F8DB42B4B6BB}C:\\windows\\ehome\\ehexthost.exe"= TCP:C:\windows\ehome\ehexthost.exe:Media Center Extensibility Host
"{7069B814-919D-461D-86CC-573E77D0B823}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{B053FB2D-0F41-4DB2-8B41-5C61E2BB2962}"= UDP:C:\Program Files\Common Framework\FrameworkService.exe:McAfee Framework Service
"{08C457ED-6D03-4A32-BC4D-984AF87BFE75}"= TCP:C:\Program Files\Common Framework\FrameworkService.exe:McAfee Framework Service
"TCP Query User{CCBEC2E6-E690-40C4-B054-1BD5B74B1713}C:\\program files\\vongo\\vongo.exe"= Disabled:UDP:C:\program files\vongo\vongo.exe:Vongo
"UDP Query User{A9AEEB2A-C19F-49DC-BACF-953173DE1057}C:\\program files\\vongo\\vongo.exe"= Disabled:TCP:C:\program files\vongo\vongo.exe:Vongo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R2 NSUService;NSUService;"C:\Program Files\Sony\Network Utility\NSUService.exe" [2007-11-26 14:50]
R2 regi;regi;C:\Windows\system32\drivers\regi.sys [2007-04-18 00:09]
R2 uCamMonitor;CamMonitor;C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe [2007-10-31 13:40]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;"C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe" [2007-09-29 01:11]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;C:\Windows\system32\DRIVERS\ArcSoftKsUFilter.sys [2007-10-29 23:30]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;C:\Windows\system32\Drivers\R5U870FLx86.sys [2007-11-07 23:04]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;C:\Windows\system32\Drivers\R5U870FUx86.sys [2007-11-07 23:04]
R3 SFEP;Sony Firmware Extension Parser;C:\Windows\system32\DRIVERS\SFEP.sys [2007-08-28 21:58]
R3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-06-05 20:00]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-19 20:11]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 20:51]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);"C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-UCLS-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\UCLS\HTTP" []
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-08-09 04:51]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;"C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe" [2007-09-20 22:52]

*Newly Created Service* - SASDIFSV
*Newly Created Service* - SASENUM
.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 03:11:52 C:\Windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\SpyBot\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 10:13:38
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-05 10:14:43
ComboFix-quarantined-files.txt 2008-07-05 14:14:40
ComboFix2.txt 2008-07-04 19:24:07

Pre-Run: 312,289,095,680 bytes free
Post-Run: 312,295,251,968 bytes free

355 --- E O F --- 2008-06-25 07:01:02


And here's a new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:32 AM, on 7/5/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\VirusScan\shstat.exe
C:\Program Files\Common Framework\UdaterUI.exe
C:\Program Files\WinAMP\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Framework\McTray.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - …7F - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AppMon Utility] "C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe" @@@Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" 1
O4 - HKLM\..\Run: [VAIO Help and Support Demo] "C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe"
O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe"
O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe"
O4 - HKLM\..\Run: [VAIOSurvey] "C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\WinAMP\winampa.exe"
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AOL DDI.lnk = C:\DDI\AOLICON.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\Flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\Flashget.exe
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\AdAware\aawservice.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\VirusScan\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\VirusScan\vstskmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\stacsv.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\Windows\SYSTEM32\VundoFixSVC.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10241 bytes
  • 0

#10
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Your log looks clean to my eyes...


Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Please note that the space between x and / is needed

    Posted Image




NEXT


Please Install/Update Sun Java

Updating Java:
  • Go to Start --> Control Panel --> Add or Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • It should have next icon next to it: Posted Image
  • Select it and click Remove. This will uninstall the previous (outdated) version of Java.
  • Then Download and install the newest version from here: Java Runtime Environment (JRE) 6 Update 6




NEXT


I noticed that you already have

1. McAfee Antivirus as your antivirus..
2. Malwarebytes' as your antispyware...



However, I haven't seen any third-party firewall in your logs.. Do you have any? If you don't, please install ONLY ONE of these free and excellent firewall below:
After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.



Lastly, to keep your operating system up to date please visit the link below monthly

To learn more about how to protect yourself while on the internet read this excellent article by Tony Klein: So how did I get infected in the first place?

Please also read an excellent article by miekiemoes :Help! My computer is slow!

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#11
NinjaShives

NinjaShives

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, I'm now running PC Tools as a firewall, but it seems to slow down my system slightly at startup. I've got Spybot, SpywareBlaster, and Malwarebytes as well as Adaware for an occasional extra scan. I've noticed that McAfee slows down my system when the OAS runs, but it's not that much of a problem and is to be expected. My system still is kinda slow overall but I'm going to defragment tonight and see if that helps. Anyway, I'm trojan free now which makes me happy! Thanks so much for all your help! This site will definitely be my regular stop for finding computer solutions!
  • 0

#12
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP