• Announcements

    • Andrew Browne

      Support for other products than adaware, ad block and Web Companion

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock


      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/

Sign in to follow this  
Followers 0
iim1rmg

New Trojan VirusBursters

22 posts in this topic

My computer (Winows XP Media Edition SP-2) has been hijacked by a new and aparantly more robust and destructive variation (VirusBursters) of an older Trojan called VirusBurst.

 

It is not detected by Lavasoft Adaware SE with definitions valid through 11/1/2006.

 

It invades the toolbar with false virus/trojan/infection balloons asking me to click on the balloon to download the latest detection-removal SW. It also causes various popping noises and duplicates the sound Adaware SE uses when finished with a scan in which infections are found. It makes this noise during the shutdown process. It also attempts to access the internet by itself.

 

It has hijacked IE such that it will not allow going to any other website than theirs. It has made some of the IE menu features such as "About Internet Explorer" and "Internet Options" No longer available.

 

It is hidden very well. I have deleted all files and folders with VirusBursters in the name and I have used Regedit to manually delete any entries obviously related. It still persists and is not detected by Adaware SE (or several other Spyware programs).

 

I can not access the internet until I rid the computer or this infestation.

 

Is there a manual removal method or a tool that can be downloaded using another computer then used to fix this?

Share this post


Link to post
Share on other sites

Hi iim1rmg,

 

To assist the malware experts with analysing your problems, please post logs from Ad-Aware and HijackThis, as per the steps in my post here: NewToFord's own Topic, Split from another user's thread

 

Please also notice my comment in that post on possible delays - thanks :)

 

Regards,

 

Spike

 

 

EDIT: iim1rmg - please edit your post below

 

Edit_Choices.gif

 

choose "Full Edit" and post your log in full, rather than as an attachment, which is harder for the expert log-readers to follow.

 

I am posting this way so as to avoid "bumping" your post - logs are read from oldest to newest :)

 

Thanks, Spike

Edited by spike-nz

Share this post


Link to post
Share on other sites
Hi iim1rmg,

 

To assist the malware experts with analysing your problems, please post logs from Ad-Aware and HijackThis, as per the steps in my post here: NewToFord's own Topic, Split from another user's thread

 

Please also notice my comment in that post on possible delays - thanks :)

 

Regards,

 

Spike

 

Thank You. I have attached the Hijack This log which I have with me. I can run Adaware SE again when I am back at the infected computer, but I do not have a copy of the log with me now. I ran it with definitions updated through 11/1/2006 and it found nothing but the MRU Lists. I get a log if it helps. Also- when I first found the Malware infection, I ran McAfee Virus scan - it detected the VirusBurster PuP. I used McAfee to delete the PuP, but it did not clean the infestation. Since then I have run Windows Defender Beta, Spybot S&D, and Adaware SE. None can detect this. I also have some word files with Printscreens of some examples of what this is doing on the toolbar and pop-up balloons as well as a list of the processes running at startup if those would help. My home computer is dead as far as internet connection goes until I get this off it. Thanks for the help - I need it.

 

 

 

Edit by LS CalamityJane: Pasting in log for easier reading

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:29:35 PM, on 11/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\windows\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\windows\system32\spoolsv.exe

C:\WINDOWS\ehome\ehSched.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\windows\System32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe

C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe

C:\windows\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe

C:\windows\Explorer.EXE

C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe

C:\windows\system32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\VideoKeyCodec\isamonitor.exe

C:\Program Files\VideoKeyCodec\pmsngr.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\VideoKeyCodec\pmmon.exe

C:\WINDOWS\System32\hphmon04.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\VideoKeyCodec\isamini.exe

C:\Program Files\SONY\sHotKey\sHotKey.exe

C:\WINDOWS\ehome\ehtray.exe

C:\windows\AGRSMMSG.exe

C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe

C:\Program Files\Prolific\One Button\OneBtn.exe

C:\windows\system32\ezSP_Px.exe

C:\windows\system32\CTHELPER.EXE

C:\program files\support.com\client\bin\tgcmd.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\PROGRA~1\mcafee.com\mps\mscifapp.exe

C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\windows\system32\ctfmon.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\HPHipm11.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\Palm\inboxtogo-watch.exe

C:\Program Files\Palm\inboxtogo-agent.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\windows\system32\taskmgr.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Robert Grove\My Download Update Files\Hijack This\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll

O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {58A21FDD-F219-F4CB-1F41-DF3872489097} - blank (file missing)

O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll

O2 - BHO: (no name) - {93376228-DDEF-F04A-B118-FA7AE6C20D97} - blank (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Protection Bar - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - C:\Program Files\VideoKeyCodec\iesplugin.dll

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [Prolific_OneButton] C:\Program Files\Prolific\One Button\OneBtn.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\windows\system32\ezSP_Px.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding

O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DataViz Mail.lnk = C:\Program Files\Palm\inboxtogo-watch.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net

O15 - Trusted Zone: http://www.att.net

O15 - Trusted Zone: http://www.worldnet.att.net

O15 - Trusted Zone: *.oregonstateparks.org

O15 - Trusted Zone: *.reserveamerica.com

O15 - Trusted Zone: *.verizon.com

O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/support/pops/mdldetect/VaioInfo.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136778960359

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll

O21 - SSODL: ferrateen - {27321538-5739-4aa1-b84c-7d18e4383f1f} - C:\windows\system32\rrtcany.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe

O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe

O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe

O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)

O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

 

 

Edit by Admin LS CalamityJane: removed attachment...no longer needed

Edited by LS CalamityJane

Share this post


Link to post
Share on other sites

Hello Spike-

 

I didn't want to risk "bumping" this, but it's been a week since I posted the Hijack This Log. I wasn't sure whether you were waiting for the Adaware SE log or not, so here it is. Additional information- This annoying infection is still present when XP Media is started in Safe Mode.

 

Edit by LS CalamityJane: Pasting in log for easier reading

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Thursday, November 09, 2006 8:43:22 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R129 26.10.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):16 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

11-9-2006 8:43:22 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Robert Grove\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Robert Grove\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\office\11.0\common\general

Description : list of recently used symbols in microsoft office

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\applets\regedit

Description : last key accessed using the microsoft registry editor

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 600

ThreadCreationTime : 11-3-2006 5:42:25 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\windows\system32\

ProcessID : 656

ThreadCreationTime : 11-3-2006 5:42:33 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\windows\system32\

ProcessID : 684

ThreadCreationTime : 11-3-2006 5:42:34 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\windows\system32\

ProcessID : 732

ThreadCreationTime : 11-3-2006 5:42:38 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\windows\system32\

ProcessID : 744

ThreadCreationTime : 11-3-2006 5:42:39 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\windows\system32\

ProcessID : 908

ThreadCreationTime : 11-3-2006 5:42:42 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\windows\system32\

ProcessID : 1012

ThreadCreationTime : 11-3-2006 5:42:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [msmpeng.exe]

FilePath : C:\Program Files\Windows Defender\

ProcessID : 1140

ThreadCreationTime : 11-3-2006 5:42:46 AM

BasePriority : Normal

FileVersion : 1.1.1347.0

ProductVersion : 1.1.1347.0

ProductName : Windows Defender

CompanyName : Microsoft Corporation

FileDescription : Service Executable

InternalName : MsMpEng.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : MsMpEng.exe

 

#:9 [svchost.exe]

FilePath : C:\windows\System32\

ProcessID : 1180

ThreadCreationTime : 11-3-2006 5:42:47 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\windows\System32\

ProcessID : 1276

ThreadCreationTime : 11-3-2006 5:42:47 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [svchost.exe]

FilePath : C:\windows\System32\

ProcessID : 1432

ThreadCreationTime : 11-3-2006 5:42:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:12 [ccsetmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1524

ThreadCreationTime : 11-3-2006 5:42:52 AM

BasePriority : Normal

FileVersion : 103.0.4.3

ProductVersion : 103.0.4.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Settings Manager Service

InternalName : ccSetMgr

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccSetMgr.exe

 

#:13 [ccevtmgr.exe]

FilePath : C:\Program Files\Common Files\Symantec Shared\

ProcessID : 1628

ThreadCreationTime : 11-3-2006 5:43:01 AM

BasePriority : Normal

FileVersion : 103.0.4.3

ProductVersion : 103.0.4.3

ProductName : Client and Host Security Platform

CompanyName : Symantec Corporation

FileDescription : Symantec Event Manager Service

InternalName : ccEvtMgr

LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.

OriginalFilename : ccEvtMgr.exe

 

#:14 [spoolsv.exe]

FilePath : C:\windows\system32\

ProcessID : 1780

ThreadCreationTime : 11-3-2006 5:43:02 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:15 [ehsched.exe]

FilePath : C:\WINDOWS\ehome\

ProcessID : 1900

ThreadCreationTime : 11-3-2006 5:43:09 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Media Center Scheduler Service

InternalName : ehSched

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ehSched.exe

 

#:16 [mcdetect.exe]

FilePath : c:\program files\mcafee.com\agent\

ProcessID : 1952

ThreadCreationTime : 11-3-2006 5:43:09 AM

BasePriority : Normal

FileVersion : 6, 0, 0, 19

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee WSC Integration Service

InternalName : McDetect

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : McDetect.exe

Comments : McAfee WSC Integration Service

 

#:17 [mcshield.exe]

FilePath : c:\PROGRA~1\mcafee.com\vso\

ProcessID : 1984

ThreadCreationTime : 11-3-2006 5:43:09 AM

BasePriority : High

 

 

#:18 [mctskshd.exe]

FilePath : c:\PROGRA~1\mcafee.com\agent\

ProcessID : 2016

ThreadCreationTime : 11-3-2006 5:43:10 AM

BasePriority : Normal

FileVersion : 6, 0, 0, 13

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee Task Scheduler

InternalName : McTskshd

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : McTskshd.exe

 

#:19 [mdm.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\

ProcessID : 332

ThreadCreationTime : 11-3-2006 5:43:18 AM

BasePriority : Normal

FileVersion : 7.00.9466

ProductVersion : 7.00.9466

ProductName : Microsoft® Visual Studio .NET

CompanyName : Microsoft Corporation

FileDescription : Machine Debug Manager

InternalName : mdm.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : mdm.exe

 

#:20 [mpfservice.exe]

FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\

ProcessID : 368

ThreadCreationTime : 11-3-2006 5:43:19 AM

BasePriority : Normal

FileVersion : 7.1.0.113

ProductVersion : 7.1.0.113

ProductName : McAfee Personal Firewall

CompanyName : McAfee Corporation

FileDescription : McAfee Personal Firewall Service

InternalName : MPFService

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : MpfService.exe

Comments : McAfee Personal Firewall Service

 

#:21 [nvsvc32.exe]

FilePath : C:\windows\System32\

ProcessID : 284

ThreadCreationTime : 11-3-2006 5:43:22 AM

BasePriority : Normal

FileVersion : 6.14.10.4528

ProductVersion : 6.14.10.4528

ProductName : NVIDIA Driver Helper Service, Version 45.28

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 45.28

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:22 [ioctlsvc.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 532

ThreadCreationTime : 11-3-2006 5:43:22 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 0

ProductVersion : 1, 0, 0, 0

ProductName : IoctlSvc Application

CompanyName : Prolific Technology Inc.

FileDescription : PLFlash DeviceIoControl Service

InternalName : IoctlSvc

LegalCopyright : Copyright © 2003 Prolific Technology Inc.

OriginalFilename : IoctlSvc.exe

 

#:23 [retrorun.exe]

FilePath : C:\PROGRA~1\Dantz\RETROS~1\

ProcessID : 556

ThreadCreationTime : 11-3-2006 5:43:23 AM

BasePriority : Normal

FileVersion : 6.5.342

ProductVersion : 6.5

ProductName : Retrospect

CompanyName : Dantz Development Corporation

FileDescription : Retrospect

InternalName :

LegalCopyright : Copyright Dantz 1989-2003

LegalTrademarks : Dantz® Retrospect®

OriginalFilename : retrorun.exe

 

#:24 [sonicstagemonitoring.exe]

FilePath : C:\Program Files\Common Files\Sony Shared\WMPlugIn\

ProcessID : 1260

ThreadCreationTime : 11-3-2006 5:43:33 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 09121

ProductVersion : 1, 0, 0, 1

ProductName : SonicStageMonitoring Module

CompanyName : Sony Corporation

FileDescription : SonicStageMonitoring Module

InternalName : SonicStageMonitoring

LegalCopyright : Copyright 2003

OriginalFilename : SonicStageMonitoring.EXE

Comments : Monitoring Service

 

#:25 [smceman.exe]

FilePath : C:\Program Files\Sony\Sony TV Tuner Library\

ProcessID : 1292

ThreadCreationTime : 11-3-2006 5:43:33 AM

BasePriority : Normal

FileVersion : 1, 0, 0,08131

ProductVersion : 1, 0, 0, 08110

ProductName : Sony TV Tuner Library

CompanyName : Sony Corporation

FileDescription : SMceMan Module

InternalName : SMceMan

LegalCopyright : Copyright 2003 Sony Corp.

OriginalFilename : SMceMan.EXE

Comments : Aug.11 .2003

 

#:26 [svchost.exe]

FilePath : C:\windows\System32\

ProcessID : 1324

ThreadCreationTime : 11-3-2006 5:43:33 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:27 [wdfmgr.exe]

FilePath : C:\windows\system32\

ProcessID : 1652

ThreadCreationTime : 11-3-2006 5:43:37 AM

BasePriority : Normal

FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)

ProductVersion : 5.2.3790.1230

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows User Mode Driver Manager

InternalName : WdfMgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : WdfMgr.exe

 

#:28 [sssvr.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Music\

ProcessID : 2076

ThreadCreationTime : 11-3-2006 5:43:39 AM

BasePriority : Normal

FileVersion : 2.6.00.08280

ProductVersion : 2.6.00

ProductName : VAIO Media Music Server

CompanyName : Sony Corporation

FileDescription : VAIO Media Music Server

InternalName : SSSvr

LegalCopyright : Copyright 2002,2003 Sony Corp.

OriginalFilename : SSSvr.exe

Comments : VAIO Media Music Server

 

#:29 [explorer.exe]

FilePath : C:\windows\

ProcessID : 2084

ThreadCreationTime : 11-3-2006 5:43:39 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:30 [photoappsrv.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\

ProcessID : 2204

ThreadCreationTime : 11-3-2006 5:43:45 AM

BasePriority : Normal

 

 

#:31 [gpvsvr.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Video\

ProcessID : 2284

ThreadCreationTime : 11-3-2006 5:43:50 AM

BasePriority : Normal

 

 

#:32 [svchost.exe]

FilePath : C:\windows\system32\

ProcessID : 2368

ThreadCreationTime : 11-3-2006 5:43:56 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:33 [sv_httpd.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\

ProcessID : 2668

ThreadCreationTime : 11-3-2006 5:44:04 AM

BasePriority : Normal

FileVersion : 2.6.00.06090

ProductVersion : 2.6.00.06090

ProductName : SV_Httpd.exe

CompanyName : Sony Corporation

FileDescription : Sony HTTP Server

InternalName : SV_Httpd

LegalCopyright : Copyright 2002, 2003 Sony Corp.

OriginalFilename : SV_Httpd.exe

 

#:34 [sv_httpd.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\

ProcessID : 2800

ThreadCreationTime : 11-3-2006 5:44:08 AM

BasePriority : Normal

FileVersion : 2.6.00.06090

ProductVersion : 2.6.00.06090

ProductName : SV_Httpd.exe

CompanyName : Sony Corporation

FileDescription : Sony HTTP Server

InternalName : SV_Httpd

LegalCopyright : Copyright 2002, 2003 Sony Corp.

OriginalFilename : SV_Httpd.exe

 

#:35 [sv_httpd.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\

ProcessID : 2828

ThreadCreationTime : 11-3-2006 5:44:08 AM

BasePriority : Normal

FileVersion : 2.6.00.06090

ProductVersion : 2.6.00.06090

ProductName : SV_Httpd.exe

CompanyName : Sony Corporation

FileDescription : Sony HTTP Server

InternalName : SV_Httpd

LegalCopyright : Copyright 2002, 2003 Sony Corp.

OriginalFilename : SV_Httpd.exe

 

#:36 [upnpframework.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\

ProcessID : 2940

ThreadCreationTime : 11-3-2006 5:44:10 AM

BasePriority : Normal

FileVersion : 4.0.00.07150

ProductVersion : 4.0.00.07150

ProductName : UPnPFramework.exe

CompanyName : Sony Corporation

FileDescription : Sony UPnP Framework

InternalName : UPnPFramework

LegalCopyright : Copyright 2002,2003 Sony Corp.

OriginalFilename : UPnPFramework.exe

 

#:37 [isamonitor.exe]

FilePath : C:\Program Files\VideoKeyCodec\

ProcessID : 2964

ThreadCreationTime : 11-3-2006 5:44:10 AM

BasePriority : Normal

 

 

#:38 [pmsngr.exe]

FilePath : C:\Program Files\VideoKeyCodec\

ProcessID : 2980

ThreadCreationTime : 11-3-2006 5:44:10 AM

BasePriority : Normal

 

 

#:39 [hpgs2wnd.exe]

FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\

ProcessID : 3028

ThreadCreationTime : 11-3-2006 5:44:11 AM

BasePriority : Normal

FileVersion : 2,3,0,0\ 162

ProductVersion : 2,3,0,0\ 162

ProductName : Hewlett-Packard hpgs2wnd

CompanyName : Hewlett-Packard

FileDescription : hpgs2wnd

InternalName : hpgs2wnd

LegalCopyright : Copyright © 2001

OriginalFilename : hpgs2wnd.exe

 

#:40 [upnpframework.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\

ProcessID : 3056

ThreadCreationTime : 11-3-2006 5:44:11 AM

BasePriority : Normal

FileVersion : 4.0.00.07150

ProductVersion : 4.0.00.07150

ProductName : UPnPFramework.exe

CompanyName : Sony Corporation

FileDescription : Sony UPnP Framework

InternalName : UPnPFramework

LegalCopyright : Copyright 2002,2003 Sony Corp.

OriginalFilename : UPnPFramework.exe

 

#:41 [upnpframework.exe]

FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\

ProcessID : 3080

ThreadCreationTime : 11-3-2006 5:44:11 AM

BasePriority : Normal

FileVersion : 4.0.00.07150

ProductVersion : 4.0.00.07150

ProductName : UPnPFramework.exe

CompanyName : Sony Corporation

FileDescription : Sony UPnP Framework

InternalName : UPnPFramework

LegalCopyright : Copyright 2002,2003 Sony Corp.

OriginalFilename : UPnPFramework.exe

 

#:42 [pmmon.exe]

FilePath : C:\Program Files\VideoKeyCodec\

ProcessID : 3156

ThreadCreationTime : 11-3-2006 5:44:12 AM

BasePriority : Normal

 

 

#:43 [hphmon04.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 3180

ThreadCreationTime : 11-3-2006 5:44:13 AM

BasePriority : Normal

FileVersion : 4,2,41

ProductVersion : 4,2,41

ProductName : hp photosmart

CompanyName : Hewlett-Packard

FileDescription : HPHmon04

InternalName : HPHmon04

LegalCopyright : Copyright © 2001

OriginalFilename : HPHmon04.exe

 

#:44 [hpztsb07.exe]

FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\

ProcessID : 3200

ThreadCreationTime : 11-3-2006 5:44:13 AM

BasePriority : Normal

FileVersion : 2,140,0,0

ProductVersion : 2,140,0,0

ProductName : HP DeskJet

CompanyName : HP

LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

 

#:45 [hpgs2wnf.exe]

FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\

ProcessID : 3204

ThreadCreationTime : 11-3-2006 5:44:13 AM

BasePriority : Normal

FileVersion : 2, 6, 0, 162

ProductVersion : 2, 6, 0, 162

ProductName : hpgs2wnf Module

FileDescription : hpgs2wnf Module

InternalName : hpgs2wnf

LegalCopyright : Copyright 2001

OriginalFilename : hpgs2wnf.EXE

 

#:46 [isamini.exe]

FilePath : C:\Program Files\VideoKeyCodec\

ProcessID : 3216

ThreadCreationTime : 11-3-2006 5:44:13 AM

BasePriority : Normal

 

 

#:47 [shotkey.exe]

FilePath : C:\Program Files\SONY\sHotKey\

ProcessID : 3300

ThreadCreationTime : 11-3-2006 5:44:14 AM

BasePriority : Normal

 

 

#:48 [ehtray.exe]

FilePath : C:\WINDOWS\ehome\

ProcessID : 3312

ThreadCreationTime : 11-3-2006 5:44:14 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Media Center Tray Applet

InternalName : ehtray

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ehtray.exe

 

#:49 [agrsmmsg.exe]

FilePath : C:\windows\

ProcessID : 3376

ThreadCreationTime : 11-3-2006 5:44:17 AM

BasePriority : Normal

FileVersion : 2.1.46 2.1.46 07/22/2004 13:38:36

ProductVersion : 2.1.46 2.1.46 07/22/2004 13:38:36

ProductName : Agere SoftModem Messaging Applet

CompanyName : Agere Systems

FileDescription : SoftModem Messaging Applet

InternalName : smdmstat.exe

LegalCopyright : Copyright © Agere Systems 1998-2000

OriginalFilename : smdmstat.exe

 

#:50 [rm_sv.exe]

FilePath : C:\Program Files\Sony\Sony TV Tuner Library\

ProcessID : 3428

ThreadCreationTime : 11-3-2006 5:44:19 AM

BasePriority : Normal

FileVersion : 5, 5, 0,08131

ProductVersion : 5, 5, 0, 05280

ProductName : Giga Pocket

CompanyName : Sony Corporation

FileDescription : RM_SV Module

InternalName : RM_SV

LegalCopyright : Copyright 2002, 2003 Sony Corp.

OriginalFilename : RM_SV.EXE

Comments : May.28 .2003

 

#:51 [onebtn.exe]

FilePath : C:\Program Files\Prolific\One Button\

ProcessID : 3568

ThreadCreationTime : 11-3-2006 5:44:27 AM

BasePriority : Normal

FileVersion : 1, 3, 0, 0

ProductVersion : 1, 3, 0, 0

ProductName : OneBtn Application

FileDescription : One Button Launch Application for PL-X507

InternalName : OneBtn

LegalCopyright : Copyright © 2004 Prolific Technology Inc.

OriginalFilename : OneBtn.exe

 

#:52 [ezsp_px.exe]

FilePath : C:\windows\system32\

ProcessID : 3616

ThreadCreationTime : 11-3-2006 5:44:28 AM

BasePriority : Normal

 

 

#:53 [cthelper.exe]

FilePath : C:\windows\system32\

ProcessID : 3628

ThreadCreationTime : 11-3-2006 5:44:28 AM

BasePriority : Normal

FileVersion : 1, 1, 0, 0

ProductVersion : 1, 1, 0, 0

ProductName : CtHelper Application

CompanyName : Creative Technology Ltd

FileDescription : CtHelper MFC Application

InternalName : CtHelper

LegalCopyright : Copyright © 2002

OriginalFilename : CtHelper.EXE

 

#:54 [tgcmd.exe]

FilePath : C:\program files\support.com\client\bin\

ProcessID : 3640

ThreadCreationTime : 11-3-2006 5:44:29 AM

BasePriority : Normal

FileVersion : 5,5,402,0

ProductVersion : 5,5,402,0

ProductName : Support.com Scheduler and Command Dispatcher

CompanyName : Support.com, Inc.

FileDescription : Support.com Scheduler and Command Dispatcher

InternalName : TGCMD

LegalCopyright : Copyright 1997-2069 Support.com

OriginalFilename : TGCMD.EXE

 

#:55 [mpftray.exe]

FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\

ProcessID : 3676

ThreadCreationTime : 11-3-2006 5:44:32 AM

BasePriority : Normal

FileVersion : 7.1.0.113

ProductVersion : 7.1.0.113

ProductName : McAfee Personal Firewall (MPF)

CompanyName : McAfee Security

FileDescription : McAfee Personal Firewall Tray Monitor

InternalName : MpfTray

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : MPFTRAY.EXE

Comments : Tray Icon for McAfee Personal Firewall

 

#:56 [mcagent.exe]

FilePath : C:\PROGRA~1\mcafee.com\agent\

ProcessID : 3684

ThreadCreationTime : 11-3-2006 5:44:33 AM

BasePriority : Normal

FileVersion : 6, 0, 0, 16

ProductVersion : 6, 0, 0, 0

ProductName : McAfee SecurityCenter

CompanyName : McAfee, Inc

FileDescription : McAfee SecurityCenter Agent

InternalName : mcagent

LegalCopyright : Copyright © 2005 McAfee, Inc.

OriginalFilename : mcagent.exe

 

#:57 [mcvsshld.exe]

FilePath : C:\Program Files\McAfee.com\VSO\

ProcessID : 3708

ThreadCreationTime : 11-3-2006 5:44:34 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 22

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan ActiveShield Resource

InternalName : McVsShld

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : McVsShld.exe

Comments : McAfee VirusScan ActiveShield Resource

 

#:58 [oasclnt.exe]

FilePath : C:\Program Files\McAfee.com\VSO\

ProcessID : 3716

ThreadCreationTime : 11-3-2006 5:44:35 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 24

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan OAS Client

InternalName : OasClnt

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : OasClnt.exe

Comments : McAfee VirusScan OAS Client

 

#:59 [ssaad.exe]

FilePath : C:\PROGRA~1\Sony\SONICS~1\

ProcessID : 3724

ThreadCreationTime : 11-3-2006 5:44:35 AM

BasePriority : Normal

FileVersion : 3.0.00.13241

FileDescription : SonicStage Atrac Hard Disk Monitor

InternalName : SonicStage Atrac Hard Disk Monitor

LegalCopyright : Copyright 2005 Sony Corporation

 

#:60 [mscifapp.exe]

FilePath : C:\PROGRA~1\mcafee.com\mps\

ProcessID : 3732

ThreadCreationTime : 11-3-2006 5:44:35 AM

BasePriority : Normal

FileVersion : 8.1.0.136

ProductVersion : 8.1.0.136

ProductName : McAfee Privacy Service

CompanyName : McAfee, Inc.

FileDescription : McAfee Privacy Service

InternalName : mscifapp

LegalCopyright : Copyright © 2005 McAfee, Inc.

All rights reserved

OriginalFilename : mscifapp.exe

 

#:61 [liveupdate.exe]

FilePath : C:\Program Files\AceGain\LiveUpdate\

ProcessID : 3740

ThreadCreationTime : 11-3-2006 5:44:36 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 1

ProductVersion : 1, 0, 0, 1

ProductName : AceGain LiveUpdate

FileDescription : AceGain LiveUpdate

InternalName : AceGain LiveUpdate

LegalCopyright : AceGain Inc.

OriginalFilename : utilproxy

 

#:62 [ituneshelper.exe]

FilePath : C:\Program Files\iTunes\

ProcessID : 3752

ThreadCreationTime : 11-3-2006 5:44:36 AM

BasePriority : Normal

FileVersion : 6.0.4.2

ProductVersion : 6.0.4.2

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iTunesHelper Module

InternalName : iTunesHelper

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iTunesHelper.exe

 

#:63 [qttask.exe]

FilePath : C:\Program Files\QuickTime\

ProcessID : 3760

ThreadCreationTime : 11-3-2006 5:44:37 AM

BasePriority : Normal

FileVersion : 7.1

ProductVersion : QuickTime 7.1

ProductName : QuickTime

CompanyName : Apple Computer, Inc.

FileDescription : QuickTime Task

InternalName : QuickTime Task

LegalCopyright : Copyright Apple Computer, Inc. 1989-2006

OriginalFilename : QTTask.exe

 

#:64 [msascui.exe]

FilePath : C:\Program Files\Windows Defender\

ProcessID : 3768

ThreadCreationTime : 11-3-2006 5:44:38 AM

BasePriority : Normal

FileVersion : 1.1.1347.0

ProductVersion : 1.1.1347.0

ProductName : Windows Defender

CompanyName : Microsoft Corporation

FileDescription : Windows Defender User Interface

InternalName : MSASCUI

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : MSASCUI.exe

 

#:65 [ctfmon.exe]

FilePath : C:\windows\system32\

ProcessID : 3944

ThreadCreationTime : 11-3-2006 5:44:40 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : CTF Loader

InternalName : CTFMON

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : CTFMON.EXE

 

#:66 [ehmsas.exe]

FilePath : C:\WINDOWS\ehome\

ProcessID : 4012

ThreadCreationTime : 11-3-2006 5:44:41 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Media Center Media Status Aggregator Service

InternalName : eHMSAS

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ehMSAS.exe

 

#:67 [msnmsgr.exe]

FilePath : C:\Program Files\MSN Messenger\

ProcessID : 544

ThreadCreationTime : 11-3-2006 5:44:45 AM

BasePriority : Normal

FileVersion : 5.0.0527

ProductVersion : Version 5.0

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Messenger

InternalName : msnmsgr

LegalCopyright : Copyright © Microsoft Corporation 1997-2002

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msnmsgr.exe

 

#:68 [mcvsescn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ProcessID : 1488

ThreadCreationTime : 11-3-2006 5:44:47 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 20

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan E-mail Scan Module

InternalName : mcvsescn

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : mcvsescn.EXE

Comments : McAfee VirusScan E-mail Scan Module

 

#:69 [ssscsisv.exe]

FilePath : C:\Program Files\Common Files\Sony Shared\AVLib\

ProcessID : 2056

ThreadCreationTime : 11-3-2006 5:44:48 AM

BasePriority : Normal

FileVersion : 3.0.00.13241

ProductVersion : 3.0.00

ProductName : SonicStage

CompanyName : Sony Corporation

FileDescription : SonicStage Scsi I/F Server

InternalName : SSScsiSV

LegalCopyright : Copyright 2005 Sony Corporation

OriginalFilename : SSScsiSV.EXE

 

#:70 [alg.exe]

FilePath : C:\windows\System32\

ProcessID : 2496

ThreadCreationTime : 11-3-2006 5:44:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:71 [ipodservice.exe]

FilePath : C:\Program Files\iPod\bin\

ProcessID : 3264

ThreadCreationTime : 11-3-2006 5:44:56 AM

BasePriority : Normal

FileVersion : 6.0.4.2

ProductVersion : 6.0.4.2

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iPodService Module

InternalName : iPodService

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iPodService.exe

 

#:72 [mcvsftsn.exe]

FilePath : c:\progra~1\mcafee.com\vso\

ProcessID : 2888

ThreadCreationTime : 11-3-2006 5:44:58 AM

BasePriority : Normal

FileVersion : 10, 0, 0, 19

ProductVersion : 10, 0, 0, 0

ProductName : McAfee VirusScan

CompanyName : McAfee, Inc.

FileDescription : McAfee VirusScan Instant Messenger Scan Module

InternalName : mcvsftsn

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : mcvsftsn.EXE

Comments : McAfee VirusScan Instant Messenger Scan Module

 

#:73 [inboxtogo-watch.exe]

FilePath : C:\Program Files\Palm\

ProcessID : 3488

ThreadCreationTime : 11-3-2006 5:45:00 AM

BasePriority : Normal

FileVersion : 100.00 (124)

ProductVersion : 100.00 (124)

ProductName : DataViz Mail

FileDescription : DataViz Mail System Watchdog

InternalName : inboxtogo-watch.exe

LegalCopyright : Copyright © 1999-2002 DataViz, Inc.

OriginalFilename : inboxtogo-watch.exe

 

#:74 [inboxtogo-agent.exe]

FilePath : C:\Program Files\Palm\

ProcessID : 2548

ThreadCreationTime : 11-3-2006 5:45:02 AM

BasePriority : Normal

FileVersion : 100.00 (124)

ProductVersion : 100.00 (124)

ProductName : DataViz Mail

FileDescription : DataViz Mail Desktop Agent

InternalName : inboxtogo-agent.exe

LegalCopyright : Copyright © 1999-2002 DataViz, Inc.

OriginalFilename : inboxtogo-agent.exe

 

#:75 [mpfagent.exe]

FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\

ProcessID : 4284

ThreadCreationTime : 11-3-2006 5:45:10 AM

BasePriority : Normal

FileVersion : 7.1.0.113

ProductVersion : 7.1.0.113

ProductName : McAfee Personal Firewall (MPF)

CompanyName : McAfee Security

FileDescription : McAfee Personal Firewall Agent Interface

InternalName : MpfAgent

LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.

OriginalFilename : MPFAGENT.EXE

Comments : McAfee Personal Firewall Security Center Module

 

#:76 [hotsync.exe]

FilePath : C:\Program Files\Palm\

ProcessID : 4304

ThreadCreationTime : 11-3-2006 5:45:11 AM

BasePriority : Normal

FileVersion : 4.0.4

ProductVersion : 4.1.0

ProductName : HotSync® Manager, Palm Desktop

CompanyName : Palm, Inc.

FileDescription : HotSync® Manager Application

InternalName : HotSync®

LegalCopyright : Copyright © 1995-2001 Palm, Inc.

LegalTrademarks : HotSync® is a registered trademark of Palm, Inc.

OriginalFilename : Hotsync.exe

 

#:77 [taskmgr.exe]

FilePath : C:\windows\system32\

ProcessID : 4400

ThreadCreationTime : 11-3-2006 5:45:14 AM

BasePriority : High

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows TaskManager

InternalName : taskmgr

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : taskmgr.exe

 

#:78 [msmsgs.exe]

FilePath : C:\Program Files\Messenger\

ProcessID : 4424

ThreadCreationTime : 11-3-2006 5:45:16 AM

BasePriority : Normal

FileVersion : 4.7.3001

ProductVersion : Version 4.7.3001

ProductName : Messenger

CompanyName : Microsoft Corporation

FileDescription : Windows Messenger

InternalName : msmsgs

LegalCopyright : Copyright © Microsoft Corporation 2004

LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.

OriginalFilename : msmsgs.exe

 

#:79 [hphipm11.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 5996

ThreadCreationTime : 11-8-2006 4:03:15 PM

BasePriority : Normal

FileVersion : 4, 5, 0, 770

ProductVersion : 4, 5, 0, 770

ProductName : HP PML

CompanyName : HP

FileDescription : PML Driver

InternalName : PmlDrv

LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company

OriginalFilename : PmlDrv.exe

 

#:80 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 5500

ThreadCreationTime : 11-10-2006 4:42:58 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Deep scanning and examining files (K:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for K:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Scanning Hosts file......

Hosts file location:"C:\windows\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 16

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

9:01:46 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:18:23.781

Objects scanned:239745

Objects identified:0

Objects ignored:0

New critical objects:0

 

 

Edit by Admin LS CalamityJane: removed attachment...no longer needed

Edited by LS CalamityJane

Share this post


Link to post
Share on other sites

Hi ,

 

Apologies for the late reply, we've been quite swamped in here as you can probably see.

 

Are you still needing help?

 

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

 

If you still need help, please post a fresh HijackThis log so I can see where you are at this point

Share this post


Link to post
Share on other sites

Yes!! I still need help and I'll get a fresh log tonight and post it in the morning. Thanks Calamity.

 

Some new information. I turned off system restore then tried booting from a disaster recovery CD-ROM. The first time I did this, it booted without the toolbar infection. I connected to the internet and updated all my Virus/Spyware definitions. It had so mutilated my McAfee Virus Scan SW that I had to re-install it. Lots of stuff got detected and supposedly cleaned including Puper and Zlob. I then disconnected from the internet, ran a commercial registry mechanic (twice) and then tried booting into safe mode. The infection was back although I seem to have crippled it some. The pop-up windows on the tool bar are still there, but all the annoying sound effects seem to be gone as well as the big fake system message box. I then tried to reboot from the CD, but now the infection is there when I boot from the CD as well as from the hard disk. I'll get fresh hijack-this and Adaware SE logs (with the newer definitions) and post in the morning. Thanks again. The tool-bar pop-up balloon and the new explorer window it opens by itself every few minutes tries to take me to a web-site in austria to sell me removal SW. I suspect these are the folks who created the infection in the first place. The pop-up also wants me to click the "baloon" <SIC>.

Share this post


Link to post
Share on other sites

Ok, sounds good - I think you made progress :)

 

Take this tool with you as well, it should take out anything remaining of the Zlob/Smitfraud infection I saw in the prior logs. Ad-Aware updated may also detect it by this time. (There are thousands of new variants of this released every week - very hard for the security programs to keep up with).

 

This stand-alone free removal tool is developed and kept up to date by a volunteer spyware-researcher in France, goes by the username S!ri, so he usually has the latest Zlob/Smitfraud nasties covered as far as removal goes.

 

You have the desktop Hijacker from a fake codec as described Here in our September Newsletter.

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

Share this post


Link to post
Share on other sites

I think we've made progress :D

 

The symptoms have changed considerably, but I am still afraid to let it connect to the internet.

 

Iv'e attached the files.

 

 

Edit by Admin LS CalamityJane: removed attachment...no longer needed - see post below

Edited by LS CalamityJane

Share this post


Link to post
Share on other sites

Let me paste those logs in here for easier review

 

SmitFraudFix v2.120

 

Scan done at 22:58:26.48, Tue 11/14/2006

Run from C:\Documents and Settings\Robert Grove\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

...................................

Logfile of HijackThis v1.99.1

Scan saved at 11:11:21 PM, on 11/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\windows\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\windows\system32\spoolsv.exe

C:\WINDOWS\ehome\ehSched.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

C:\windows\System32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

C:\windows\Explorer.EXE

C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe

C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe

C:\windows\System32\svchost.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\hphmon04.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\windows\system32\svchost.exe

C:\Program Files\SONY\sHotKey\sHotKey.exe

C:\WINDOWS\ehome\ehtray.exe

C:\windows\AGRSMMSG.exe

C:\program files\support.com\client\bin\tgcmd.exe

C:\Program Files\Prolific\One Button\OneBtn.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\windows\system32\ezSP_Px.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe

C:\windows\system32\CTHELPER.EXE

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\PROGRA~1\mcafee.com\mps\mscifapp.exe

C:\WINDOWS\System32\HPHipm11.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\ehome\ehmsas.exe

C:\windows\system32\ctfmon.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Palm\inboxtogo-watch.exe

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

C:\Program Files\Palm\inboxtogo-agent.exe

C:\Program Files\Palm\HOTSYNC.EXE

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\windows\System32\svchost.exe

C:\Program Files\Messenger\msmsgs.exe

C:\windows\system32\wuauclt.exe

C:\Documents and Settings\Robert Grove\My Download Update Files\Hijack This\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll

O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll

O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {58A21FDD-F219-F4CB-1F41-DF3872489097} - blank (file missing)

O2 - BHO: (no name) - {93376228-DDEF-F04A-B118-FA7AE6C20D97} - blank (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe

O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [Prolific_OneButton] C:\Program Files\Prolific\One Button\OneBtn.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\windows\system32\ezSP_Px.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DataViz Mail.lnk = C:\Program Files\Palm\inboxtogo-watch.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net

O15 - Trusted Zone: http://www.att.net

O15 - Trusted Zone: http://www.worldnet.att.net

O15 - Trusted Zone: *.oregonstateparks.org

O15 - Trusted Zone: *.reserveamerica.com

O15 - Trusted Zone: *.verizon.com

O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/support/pops/mdldetect/VaioInfo.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136778960359

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe

O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe

O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe

O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe

O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)

O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)

O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe

O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)

O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)

O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)

O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

Share this post


Link to post
Share on other sites

Looks good!

 

Open HijackThis and do a *system scan only*

 

When it finishes, checkmark these entries, then press the *fix checked* button

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

 

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

 

O2 - BHO: (no name) - {58A21FDD-F219-F4CB-1F41-DF3872489097} - blank (file missing)

 

O2 - BHO: (no name) - {93376228-DDEF-F04A-B118-FA7AE6C20D97} - blank (file missing)

 

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)

 

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

 

Let me know if you see any remaining symptoms?

Share this post


Link to post
Share on other sites

I think we may have it. :)

 

After following the last instructions, the symptoms appeared to be gone. I let the computer connect the internet, updated all my virus/malware programs & definitions and rebooted to Safe mode, then ran them all.

 

They detected one Trojan called fake-alert and some spyware called browseraid and one called movie something. After cleaning these, I rebooted normally and ran them all again. One still detected browseraid and cleaned it.

 

Then I turned system restore back on.

 

As of now, none of my virus/malware detection programs is findinging anything and the symptoms of the initial infection are gone.

 

I've attached a couple of word files with "printscreens" of what this infection looked like in case they are of any help to anyone. Please just delete them if they have no value.

 

My computer still seems to be very slow, but that may be my imagination. Thank you. Thank you. Thank you.

 

Please let me know if we are not yet done.

 

Edit by Admin LS CalamityJane: Attachments removed...no longer needed

Edited by LS CalamityJane

Share this post


Link to post
Share on other sites

Yes, I know most all of fake alerts used

Screenshots of Desktop Hijack

http://www.dslreports.com/faq/14277

 

They have a long history.

 

Browseraid isn't related but the "fake alert" and (movie) are - could that have been "codec"?

 

You may have gotten this desktop hijack from a fake codec as described Here in our September Newsletter.

 

Also here:

Beware Fake Codecs - it could be a trojan

http://www.dslreports.com/forum/remark,17163035

...............................

The slowness you perceive...could be if you are running both Symantec and McAfee AVs at the same time. Your log shows components from both.

 

Some final cleanup and prevention recomendations follow.

 

You can go ahead and delete any special tools we used (SmitfraudFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.

 

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr

Wait while Windows scans your system for files to delete.

Make sure these 3 are checkmarked and press *ok* to delete them.

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

......................

Ad-Aware Plus has realtime protection to prevent infections before they have a chance to a get stronghold on your PC

http://www.lavasoft.com/

 

Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

 

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.

Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.

Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

 

A word about shared computers and networks.

Share Your PC

http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx

Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.

 

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

 

Also visit this Free Online Scanner from Microsoft for PC Health and Safety

http://safety.live.com/site/en-US/default.htm

and Microsoft Security At Home

http://www.microsoft.com/athome/security/default.mspx

for tips to Protect your Pc, Protect yourself and Protect your Family.

Share this post


Link to post
Share on other sites

Yaaaaaaaaaaaarrrrrrrrrrrrrrrrrrggggggggggg!!

 

I thought we had it, but as soon as I let it connect to the intenet, they start to come back!!

 

If I connect for even a minute, just to update definitions- then huntbar comes back. If I connect for a few minutes, then things start to happen - like my commercial registry mechanic looses a .dll and has to be re-installed and all sorts of trojans, malware, and spyware start to get detected. If I clean them all before shutting down, then the horrible toolbar stuff is not present at the next startup, but I don't think the computer is clean yet. Could it be a rootkit?

 

I had serious problems trying to install an update to the Symantec/Norten stuff you see. The original came installed on the computer and when I tried to update it to 2006, the update didn't de-install the previous components. After spending over 50 hours trying to get it to work and spending lots of time talking to nice folks in India, I gave up and switched. What you see are the Symantec parts that try as I have, I have been unsuccessful at removing or deinstalling.

 

I'll do the things you suggested, but is there anything else I should try? I'm starting to lose hope.

 

Thanks again for all the help.

Share this post


Link to post
Share on other sites

Hi, yes - still here.

 

Our email notices of replies wasn't working the day you posted so I missed seeing it. Glad you posted back again.

 

1. Download this file - combofix.exe

http://download.bleepingcomputer.com/sUBs/combofix.exe

 

2. Double click on combofix.exe & follow the prompts.

 

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)

Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)

 

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

 

3. When finished, it shall produce a log for you. Post that log in your next reply

Share this post


Link to post
Share on other sites

OK, that's done and the logfile follows.

 

Two additional symptoms that may or may not be related:

 

1.) Something on the computer changed the icon for the combofix program while I was watching, but not doing anything. The icon turned into a red circle with a white x in it. The program still appears to have run correctly and it did produce a log file.

 

2.) When I run cleanmgr, it shows that I have 32 Kb in "Webclient/Publisher Temporary" Files. I check the box, it says it is deleting them, but if I run cleanmgr again, they are still there. Does this mean anything to you?

 

We are almost certain that this infection began immediately after someone using the computer visited "Myspace" and clicked on a link in "Mymusic." I think you are probably correct in your guess that this infestation started with a false codec.

 

After running combofix, I ran Adaware SE again, and it found 7 new items, but they all seemed to be tracking cookies that it didn't find before. I also pasted that log just it case it tells you something.

 

Do I dare try letting it connect again, or should I do something else first. Every Virus and Malware program I have runs clean now, but most need new definitions. I did install the Microsoft Security Analyzer you recommended (it has a newer version now), but it needs to connect to the internet so I have not run it yet.

 

What do I do next? Can I let it connect?

 

Following is a paste of the combofix log.

 

 

Robert Grove - 06-11-23 12:11:13.35 Service Pack 2

ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Robert Grove\Desktop"

 

((((((((((((((((((((((((((((((( Files Created from 2006-10-23 to 2006-11-23 ))))))))))))))))))))))))))))))))))

 

 

2006-11-23 11:54 53,248 --a------ C:\WINDOWS\system32\Process.exe

2006-11-23 11:20 13,214,934 --a------ C:\sdat4902.exe

2006-11-19 13:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe

2006-11-19 13:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2006-11-19 13:46 135,168 --a------ C:\WINDOWS\system32\swreg.exe

2006-11-14 22:58 4,740 --a------ C:\WINDOWS\system32\tmp.reg

2006-11-11 21:59 <DIR> d-------- C:\Program Files\Windows Defender

2006-11-11 21:19 <DIR> d-------- C:\Program Files\Common Files\Scanner

2006-11-11 21:19 <DIR> d-------- C:\Program Files\ComcastToolbar

2006-11-11 21:17 <DIR> d-------- C:\Documents and Settings\Robert Grove\Comcast

2006-11-11 19:11 <DIR> d-------- C:\SDAT

2006-11-02 22:08 <DIR> d-------- C:\Documents and Settings\Robert Grove\Virusbursters info

2006-10-31 21:16 <DIR> d-------- C:\Documents and Settings\Robert Grove\Hijackthis

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-11-23 12:03 -------- d-------- C:\Program Files\Registry Mechanic

2006-11-22 10:01 -------- d-------- C:\Program Files\Internet Explorer

2006-11-17 17:15 -------- d-------- C:\Program Files\Call of Duty

2006-11-11 21:19 -------- d-a------ C:\Program Files\Common Files

2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll

2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll

2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll

2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys

2006-09-28 17:45 -------- d-------- C:\Program Files\Warcraft III

2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll

2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"

"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"

"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""

"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"

"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"

"VAIO Recovery"="C:\\WINDOWS\\Sonysys\\VAIO Recovery\\PartSeal.exe"

"sHotKey"="\"C:\\Program Files\\SONY\\sHotKey\\sHotKey.exe\""

"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"ATIModeChange"="Ati2mdxx.exe"

"AGRSMMSG"="AGRSMMSG.exe"

"ZTgServerSwitch"="\"c:\\program files\\support.com\\client\\bin\\tgcmd.exe\" /server"

"Prolific_OneButton"="C:\\Program Files\\Prolific\\One Button\\OneBtn.exe"

"nwiz"="nwiz.exe /installquiet"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"ezShieldProtector for Px"="C:\\windows\\system32\\ezSP_Px.exe"

"CTHelper"="CTHELPER.EXE"

"tgcmd"="\"c:\\program files\\support.com\\client\\bin\\tgcmd.exe\" /server"

"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"

"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"

"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"

"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"

"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"

"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"

"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"

"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000004

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"SetDefaultMidi"="MIDIDEF.EXE"

"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\

33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]

"SetDefaultMidi"="MIDIDEF.EXE"

"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\

33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoCDBurning"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

Contents of the 'Scheduled Tasks' folder

C:\windows\tasks\HP Usg Login.job

C:\windows\tasks\McAfee.com Scan for Viruses - My Computer (GROVEFAMILY1-Robert Grove).job

C:\windows\tasks\MP Scheduled Scan.job

C:\windows\tasks\Norton AntiVirus - Scan my computer - Robert Grove.job

C:\windows\tasks\Norton AntiVirus - Scan my computer.job

C:\windows\tasks\Registration reminder 1.job

C:\windows\tasks\Registration reminder 2.job

C:\windows\tasks\Registration reminder 3.job

 

Completion time: 06-11-23 12:13:01.82

C:\ComboFix.txt ... 06-11-23 12:13

 

 

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Thursday, November 23, 2006 1:34:53 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R133 16.11.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):10 total references

Tracking Cookie(TAC index:3):7 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

11-23-2006 1:34:53 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Robert Grove\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Robert Grove\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

MRU List Object Recognized!

Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 160

ThreadCreationTime : 11-23-2006 9:32:28 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\windows\system32\

ProcessID : 208

ThreadCreationTime : 11-23-2006 9:32:54 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\windows\system32\

ProcessID : 232

ThreadCreationTime : 11-23-2006 9:32:55 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\windows\system32\

ProcessID : 276

ThreadCreationTime : 11-23-2006 9:33:01 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\windows\system32\

ProcessID : 288

ThreadCreationTime : 11-23-2006 9:33:01 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\windows\system32\

ProcessID : 452

ThreadCreationTime : 11-23-2006 9:33:04 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\windows\system32\

ProcessID : 504

ThreadCreationTime : 11-23-2006 9:33:05 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [msmpeng.exe]

FilePath : C:\Program Files\Windows Defender\

ProcessID : 568

ThreadCreationTime : 11-23-2006 9:33:07 PM

BasePriority : Normal

FileVersion : 1.1.1593.0

ProductVersion : 1.1.1593.0

ProductName : Windows Defender

CompanyName : Microsoft Corporation

FileDescription : Service Executable

InternalName : MsMpEng.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : MsMpEng.exe

 

#:9 [svchost.exe]

FilePath : C:\windows\system32\

ProcessID : 632

ThreadCreationTime : 11-23-2006 9:33:08 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [explorer.exe]

FilePath : C:\windows\

ProcessID : 892

ThreadCreationTime : 11-23-2006 9:33:31 PM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:11 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 1140

ThreadCreationTime : 11-23-2006 9:34:30 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 10

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][2].txt

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][2].txt

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][1].txt

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][1].txt

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][2].txt

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][2].txt

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : andrew [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew [email protected][2].txt

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 17

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 17

 

 

Deep scanning and examining files (K:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for K:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 17

 

 

Scanning Hosts file......

Hosts file location:"C:\windows\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 17

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 17

 

2:02:09 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:27:16.203

Objects scanned:208337

Objects identified:7

Objects ignored:0

New critical objects:7

Share this post


Link to post
Share on other sites

There are no signs of any new or re-infection at all. Nor are the symptoms you describe

 

So re:

all sorts of trojans, malware, and spyware start to get detected.
I need to know what is "detecting" these - can you post logs from whatever program is telling you this that will give me some specifics to look at?

 

1.) Something on the computer changed the icon for the combofix program while I was watching, but not doing anything. The icon turned into a red circle with a white x in it.
The red circle with whiteX in it is the normal logo for ComboFix. Not sure what it was showing before but the redcircle one is correct.

 

2.) When I run cleanmgr, it shows that I have 32 Kb in "Webclient/Publisher Temporary" Files
Not a problem - explanation is here:

http://www.help2go.com/Tutorials/Windows_E...elete_them.html

 

Do I dare try letting it connect again, or should I do something else first. Every Virus and Malware program I have runs clean now, but most need new definitions.
Yes. If you get these "detections" again when you connect, get logs for me from whatever is telling you about new malware.

 

I did install the Microsoft Security Analyzer you recommended (it has a newer version now), but it needs to connect to the internet so I have not run it yet.
Correct. It has to connect to the update servers to work properly so it's worthless running it to analyze until you are connected to the internet.

 

Let me know how you make out.

Share this post


Link to post
Share on other sites

I ran several programs including Lavasoft Adaware SE, Mcafee Virus scan, Windows Defender, Spybot S&D, and the spyware detector from the Comcast toolbar. I don't remember what detected what, just that huntbar seemed to come back first. Maybe they are all gone now (I hope). There were I think eight other trojan programs and malware things detected but they may have all been related or multiple locations of the same files. One of them was "virusburst.exe" which I know had been previously deleted. I have since deleted all temporary files, turned off restore and run everything I have in safe mode twice and in regular mode two or three times. Everything seems to be clean now.

 

I'll try connecting when I get home tonight. I'll check for security updates first, update all my file definitions second, then I'll run the security analyzer, then, if it is still seems clean, I'll upgrade my adaware for the extra protection you recommended.

 

I'll let you know tomorrow and thanks once more for all the help. I really really appreciate it. Who would have thought 10 years ago that being without internet at home would be like... well like living without a cellphone :-)

Share this post


Link to post
Share on other sites

This time, I think we can declare victory. I was able to connect to the internet, download IE 7.0 and associated updates, update all my definitions files and run most of my detection programs last night, and it appears to have remained clean!!!

 

I also ran the security analyzer you recommended and found that my IE zone settings allowed almost everything! I don't know how they got that way but that certainly may have contributed to the infestation.

 

Thanks very much for staying with me through this. I'll re-enable system save, and I'll upgrade my Adaware before I use IE for anything and hopefully that will help keep this from recurring.

 

Now I'm sure that there are several hundred other people who need rescuing and you probably aren't in any immediate danger of becoming bored :-)

 

Again- many many thanks and best regards:

Share this post


Link to post
Share on other sites

Great! Glad to hear it :)

 

The malware you had on there may have changed your browser settings to a more vulnerable state, which is one reason I ask our users in cleanup to run that tool to assess the overall security of your system.

 

Give it a couple of days and if everything is continuing to run ok, let me know and I can then archive this topic :)

Share this post


Link to post
Share on other sites

Its been running for several days and I think we can declere it fixed and archive it.

 

I upgraded to Adaware professional. I could not resist upgrading a product from a company that supports their free software version as well as you have.

 

This level of support from Lavasoft for free software is incredible. Many of the support folks at other unnamed companies whose products were not free basically threw up their hands at this infection, and basically said it wasn't their problem. Without your help, I probably would have had to reformat my hard drive and start over and that would have been very painful.

 

I don't quite have adwatch working correctly yet. It only seems to be catching tracking cookies for one account, but I'm sure I just haven't figured out the correct configuration yet.

 

Thanks for the terrific support. I'll do my best to keep things where I won't need it again :-)

Share this post


Link to post
Share on other sites

Thanks for the kind words. Glad to hear you are now Pro user :unsure:

 

Official support for paid versions is available to you through our Customer Support Center as well

http://www.lavasoft.com/support/supportcenter/

 

You should have received by email instructions on how to register your product and get support, if needed, via the Customer Support Center.

 

We also provide these forums for the free users to obtain peer-to-peer assistance with Ad-Aware and and our volunteers here do a great job with that, although we can't always get to all of them when the demand is so greatly overwhelming the number of folks here to lend assistance, it does also provide an archive of resolved topics where users can search and often find their answers solved in similar topics.

 

I'll go ahead and archive this topic in the "resolved" section (read only). If you should have any further issues, please feel free to start a new topic (or use the Customer Support Center) :)

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0