I seem to have a nasty Virus.
Started by
Sawson Salehpour
, Oct 14 2011 09:14 PM
#16
Posted 15 October 2011 - 08:19 AM
#17
Posted 15 October 2011 - 08:23 AM
I am going to run the rest of your fixes now. I will get back to the start menu after that.
#18
Posted 15 October 2011 - 08:24 AM
Start from step 2 on the page I linked to and then download the relevant zip file and follow the instructions - that should restore them. If not I may have another trick to play with
#19
Posted 15 October 2011 - 09:30 AM
So after 30+ minutes of running combofix I have a log file, and my start menu is looking normal again! YAY! Thanks. Here is the log file.
ComboFix 11-10-15.03 - Colin 10/15/2011 10:38:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1545 [GMT -4:00]
Running from: c:\users\Colin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\VPro1000.exe
c:\windows\vspc1000.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-15 to 2011-10-15 )))))))))))))))))))))))))))))))
.
.
2011-10-15 15:07 . 2011-10-15 15:09 -------- d-----w- c:\users\Colin\AppData\Local\temp
2011-10-15 15:07 . 2011-10-15 15:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-10-15 15:07 . 2011-10-15 15:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-15 13:36 . 2011-10-15 13:36 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\MpKsl1ba61836.sys
2011-10-15 13:36 . 2011-10-15 13:36 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\offreg.dll
2011-10-15 13:34 . 2011-10-15 13:34 -------- d-----w- C:\_OTL
2011-10-15 13:29 . 2011-10-15 13:33 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-10-15 03:14 . 2011-10-15 03:14 -------- d-----w- c:\programdata\WindowsSearch
2011-10-15 01:25 . 2011-10-15 01:25 388096 ----a-r- c:\users\Guest\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-15 01:25 . 2011-10-15 01:25 -------- d-----w- c:\program files\Trend Micro
2011-10-15 01:24 . 2011-10-15 01:24 -------- d-----w- c:\users\Colin\AppData\Roaming\Malwarebytes
2011-10-15 01:24 . 2011-10-15 01:24 -------- d-----w- c:\programdata\Malwarebytes
2011-10-15 01:24 . 2011-10-15 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 01:24 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 01:12 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\mpengine.dll
2011-10-12 21:33 . 2011-10-12 21:32 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B38EE5CF-5E68-4EAE-8F70-7EF631B4E892}\gapaengine.dll
2011-10-12 21:32 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:32 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:32 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 21:32 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:32 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-09-29 02:27 . 2011-09-29 02:27 -------- d-----w- C:\2d32536e854bd063e508598f802c
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 23:14 . 2011-06-22 17:13 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "c:\program files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [2008-09-22 61440]
.
[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2008-02-03 00:27 303104 ------w- c:\ddi\OverIcon.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Colin\Program Files\DNA\btdna.exe" [2010-09-02 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-03-31 77824]
"VAIOMyMemCenter"="c:\program files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" [2008-02-29 679936]
"VWLASU"="c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-02-19 24576]
"VAIORegistration"="c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Skytel"="Skytel.exe" [2008-01-23 1826816]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPro1000.lnk - c:\windows\VPro1000.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AOLDDI.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AOLDDI.lnk
backup=c:\windows\pss\AOLDDI.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
2007-08-28 00:54 290816 ----a-w- c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2007-07-20 22:30 577536 ----a-w- c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe
.
R3 cpuz130;cpuz130;c:\users\Colin\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 phaudlwr;Philips Audio Filter;c:\windows\system32\DRIVERS\phaudlwr.sys [2007-07-12 88320]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 SPC1000;USB2.0 PC Camera (SPC1000);c:\windows\system32\DRIVERS\spc1000.sys [2007-07-12 3033856]
R3 TrueSight;TrueSight;c:\windows\system32\drivers\TrueSight.sys [2011-10-15 111872]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 XDva219;XDva219;c:\windows\system32\XDva219.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-10-30 717296]
S1 MpKsl1ba61836;MpKsl1ba61836;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\MpKsl1ba61836.sys [2011-10-15 28752]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL1BA61836
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} - hxxp://support.kornet.net/sw5/order/Speed/cab/KTSpeedNewCtrl.cab
FF - ProfilePath - c:\users\Colin\AppData\Roaming\Mozilla\Firefox\Profiles\hrs184uz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: network.proxy.type - 2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-spc1000 - c:\windows\vspc1000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-15 11:09
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-15 11:25:21
ComboFix-quarantined-files.txt 2011-10-15 15:24
.
Pre-Run: 36,529,963,008 bytes free
Post-Run: 37,001,797,632 bytes free
.
- - End Of File - - CA852558BB59A3C35EF4934BB65BC0CE
ComboFix 11-10-15.03 - Colin 10/15/2011 10:38:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1545 [GMT -4:00]
Running from: c:\users\Colin\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\VPro1000.exe
c:\windows\vspc1000.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-09-15 to 2011-10-15 )))))))))))))))))))))))))))))))
.
.
2011-10-15 15:07 . 2011-10-15 15:09 -------- d-----w- c:\users\Colin\AppData\Local\temp
2011-10-15 15:07 . 2011-10-15 15:07 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-10-15 15:07 . 2011-10-15 15:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-15 13:36 . 2011-10-15 13:36 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\MpKsl1ba61836.sys
2011-10-15 13:36 . 2011-10-15 13:36 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\offreg.dll
2011-10-15 13:34 . 2011-10-15 13:34 -------- d-----w- C:\_OTL
2011-10-15 13:29 . 2011-10-15 13:33 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2011-10-15 03:14 . 2011-10-15 03:14 -------- d-----w- c:\programdata\WindowsSearch
2011-10-15 01:25 . 2011-10-15 01:25 388096 ----a-r- c:\users\Guest\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-15 01:25 . 2011-10-15 01:25 -------- d-----w- c:\program files\Trend Micro
2011-10-15 01:24 . 2011-10-15 01:24 -------- d-----w- c:\users\Colin\AppData\Roaming\Malwarebytes
2011-10-15 01:24 . 2011-10-15 01:24 -------- d-----w- c:\programdata\Malwarebytes
2011-10-15 01:24 . 2011-10-15 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 01:24 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 01:12 . 2011-09-12 23:14 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\mpengine.dll
2011-10-12 21:33 . 2011-10-12 21:32 703824 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B38EE5CF-5E68-4EAE-8F70-7EF631B4E892}\gapaengine.dll
2011-10-12 21:32 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 21:32 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 21:32 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 21:32 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 21:32 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-09-29 02:27 . 2011-09-29 02:27 -------- d-----w- C:\2d32536e854bd063e508598f802c
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-12 23:14 . 2011-06-22 17:13 7269712 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0A94B116-4504-4e26-AB05-E61E474AA38B}"= "c:\program files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL" [2008-09-22 61440]
.
[HKEY_CLASSES_ROOT\clsid\{0a94b116-4504-4e26-ab05-e61e474aa38b}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2008-02-03 00:27 303104 ------w- c:\ddi\OverIcon.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\users\Colin\Program Files\DNA\btdna.exe" [2010-09-02 323392]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 137752]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-23 4718592]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-11-21 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-03-31 77824]
"VAIOMyMemCenter"="c:\program files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" [2008-02-29 679936]
"VWLASU"="c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-02-19 24576]
"VAIORegistration"="c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 20480]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"Skytel"="Skytel.exe" [2008-01-23 1826816]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Colin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
VPro1000.lnk - c:\windows\VPro1000.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 03:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^AOLDDI.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AOLDDI.lnk
backup=c:\windows\pss\AOLDDI.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Help and Support Demo]
2007-08-28 00:54 290816 ----a-w- c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIOSurvey]
2007-07-20 22:30 577536 ----a-w- c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe
.
R3 cpuz130;cpuz130;c:\users\Colin\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2011-04-27 65024]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 208944]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 phaudlwr;Philips Audio Filter;c:\windows\system32\DRIVERS\phaudlwr.sys [2007-07-12 88320]
R3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [2008-03-05 104288]
R3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [2008-03-05 350048]
R3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [2008-03-05 63328]
R3 SPC1000;USB2.0 PC Camera (SPC1000);c:\windows\system32\DRIVERS\spc1000.sys [2007-07-12 3033856]
R3 TrueSight;TrueSight;c:\windows\system32\drivers\TrueSight.sys [2011-10-15 111872]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-03 87328]
R3 XDva219;XDva219;c:\windows\system32\XDva219.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2008-10-30 717296]
S1 MpKsl1ba61836;MpKsl1ba61836;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{23F6C359-AF9B-459D-B980-F76D4EAF058D}\MpKsl1ba61836.sys [2011-10-15 28752]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2011-04-18 43392]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-12-17 9344]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL1BA61836
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: {5CA5E00D-80A8-475A-BF08-816FD56DBC38} - hxxp://support.kornet.net/sw5/order/Speed/cab/KTSpeedNewCtrl.cab
FF - ProfilePath - c:\users\Colin\AppData\Roaming\Mozilla\Firefox\Profiles\hrs184uz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - prefs.js: network.proxy.type - 2
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-spc1000 - c:\windows\vspc1000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-15 11:09
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-15 11:25:21
ComboFix-quarantined-files.txt 2011-10-15 15:24
.
Pre-Run: 36,529,963,008 bytes free
Post-Run: 37,001,797,632 bytes free
.
- - End Of File - - CA852558BB59A3C35EF4934BB65BC0CE
#20
Posted 15 October 2011 - 10:05 AM
That looks nice - what problems remain ?
Could you now update and run malwarebytes posting the resultant log
Could you now update and run malwarebytes posting the resultant log
#21
Posted 15 October 2011 - 10:11 AM
I can do that. The only thing that disturbs me at this point is my Start button has a gap between it and the first program open tab. I never remember seeing it there, before the virus, and I am unable to ask my wife because she is in class, and this is her laptop. Oh and also, none of my pictures preview like they used to. As in the icons are not thumbnails of the pictures themselves. Instead every picture is a specific picture icon. I might be spoiled because I have Windows 7 and this is Vista but I am fairly certain Vista previewed photos on the icons. Sorry I am just nit picking at this point it seems, but I really appreciate your help. I will run and post the logs now.
Thanks again
Sawson
Thanks again
Sawson
#22
Posted 15 October 2011 - 10:22 AM
Could you take a screenshot of the gap ?
Reset thumbnails in Vista :
Control Panel (Classic view) > Folder Options > View tab, uncheck 1st item (Always show icons, never thumbnails)
Then check to see if they are OK
Reset thumbnails in Vista :
Control Panel (Classic view) > Folder Options > View tab, uncheck 1st item (Always show icons, never thumbnails)
Then check to see if they are OK
#23
Posted 15 October 2011 - 10:33 AM
#24
Posted 15 October 2011 - 11:06 AM
Here is the Malewarebytes log.
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7954
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
10/15/2011 12:54:48 PM
mbam-log-2011-10-15 (12-54-48).txt
Scan type: Full scan (C:\|)
Objects scanned: 300206
Time elapsed: 42 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org
Database version: 7954
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
10/15/2011 12:54:48 PM
mbam-log-2011-10-15 (12-54-48).txt
Scan type: Full scan (C:\|)
Objects scanned: 300206
Time elapsed: 42 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#25
Posted 15 October 2011 - 11:45 AM
Could you now reset the theme from classic to any other and the gap should disappear
Any other outstanding problems
Any other outstanding problems
#26
Posted 15 October 2011 - 01:43 PM
Nope the gap is still there even when I switch themes. But no other real issues I can see.
#27
Posted 15 October 2011 - 02:26 PM
Thank you for the donation 'tis gratefully received
I haven't used Vista for a while now so I am not totally sure as to what the normal size is
Whilst I check that out I will tidy you up now
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
Remove ComboFix
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
SPRING CLEAN
To manually create a new Restore Point
Now we can purge the infected ones
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Malwarebytes. Update and run weekly to keep your system clean
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
I haven't used Vista for a while now so I am not totally sure as to what the normal size is
Whilst I check that out I will tidy you up now
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Malwarebytes. Update and run weekly to keep your system clean
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
#28
Posted 17 October 2011 - 01:23 PM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users