Jump to content


Photo

New Trojan VirusBursters


  • Please log in to reply
21 replies to this topic

#1 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 02 November 2006 - 11:06 PM

My computer (Winows XP Media Edition SP-2) has been hijacked by a new and aparantly more robust and destructive variation (VirusBursters) of an older Trojan called VirusBurst.

It is not detected by Lavasoft Adaware SE with definitions valid through 11/1/2006.

It invades the toolbar with false virus/trojan/infection balloons asking me to click on the balloon to download the latest detection-removal SW. It also causes various popping noises and duplicates the sound Adaware SE uses when finished with a scan in which infections are found. It makes this noise during the shutdown process. It also attempts to access the internet by itself.

It has hijacked IE such that it will not allow going to any other website than theirs. It has made some of the IE menu features such as "About Internet Explorer" and "Internet Options" No longer available.

It is hidden very well. I have deleted all files and folders with VirusBursters in the name and I have used Regedit to manually delete any entries obviously related. It still persists and is not detected by Adaware SE (or several other Spyware programs).

I can not access the internet until I rid the computer or this infestation.

Is there a manual removal method or a tool that can be downloaded using another computer then used to fix this?

#2 spike-nz

spike-nz

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 3092 posts

Posted 03 November 2006 - 08:16 AM

Hi iim1rmg,

To assist the malware experts with analysing your problems, please post logs from Ad-Aware and HijackThis, as per the steps in my post here: NewToFord's own Topic, Split from another user's thread

Please also notice my comment in that post on possible delays - thanks :)

Regards,

Spike


EDIT: iim1rmg - please edit your post below

Edit_Choices.gif

choose "Full Edit" and post your log in full, rather than as an attachment, which is harder for the expert log-readers to follow.

I am posting this way so as to avoid "bumping" your post - logs are read from oldest to newest :)

Thanks, Spike

Edited by spike-nz, 05 November 2006 - 11:17 AM.


#3 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 04 November 2006 - 01:38 AM

Hi iim1rmg,

To assist the malware experts with analysing your problems, please post logs from Ad-Aware and HijackThis, as per the steps in my post here: NewToFord's own Topic, Split from another user's thread

Please also notice my comment in that post on possible delays - thanks :)

Regards,

Spike


Thank You. I have attached the Hijack This log which I have with me. I can run Adaware SE again when I am back at the infected computer, but I do not have a copy of the log with me now. I ran it with definitions updated through 11/1/2006 and it found nothing but the MRU Lists. I get a log if it helps. Also- when I first found the Malware infection, I ran McAfee Virus scan - it detected the VirusBurster PuP. I used McAfee to delete the PuP, but it did not clean the infestation. Since then I have run Windows Defender Beta, Spybot S&D, and Adaware SE. None can detect this. I also have some word files with Printscreens of some examples of what this is doing on the toolbar and pop-up balloons as well as a list of the processes running at startup if those would help. My home computer is dead as far as internet connection goes until I get this off it. Thanks for the help - I need it.



Edit by LS CalamityJane: Pasting in log for easier reading


Logfile of HijackThis v1.99.1
Scan saved at 10:29:35 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\windows\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\windows\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\windows\Explorer.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\windows\system32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\VideoKeyCodec\isamonitor.exe
C:\Program Files\VideoKeyCodec\pmsngr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\VideoKeyCodec\pmmon.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\VideoKeyCodec\isamini.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Prolific\One Button\OneBtn.exe
C:\windows\system32\ezSP_Px.exe
C:\windows\system32\CTHELPER.EXE
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPHipm11.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Palm\inboxtogo-watch.exe
C:\Program Files\Palm\inboxtogo-agent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\windows\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert Grove\My Download Update Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/i...arch/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.worldnet.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/i...arch/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {58A21FDD-F219-F4CB-1F41-DF3872489097} - blank (file missing)
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\VideoKeyCodec\isaddon.dll
O2 - BHO: (no name) - {93376228-DDEF-F04A-B118-FA7AE6C20D97} - blank (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Protection Bar - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - C:\Program Files\VideoKeyCodec\iesplugin.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Prolific_OneButton] C:\Program Files\Prolific\One Button\OneBtn.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\windows\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Mail.lnk = C:\Program Files\Palm\inboxtogo-watch.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O15 - Trusted Zone: http://www.att.net
O15 - Trusted Zone: http://www.worldnet.att.net
O15 - Trusted Zone: *.oregonstateparks.org
O15 - Trusted Zone: *.reserveamerica.com
O15 - Trusted Zone: *.verizon.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136778960359
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: ferrateen - {27321538-5739-4aa1-b84c-7d18e4383f1f} - C:\windows\system32\rrtcany.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe


Edit by Admin LS CalamityJane: removed attachment...no longer needed

Edited by LS CalamityJane, 01 March 2007 - 02:01 PM.


#4 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 10 November 2006 - 05:49 PM

Hello Spike-

I didn't want to risk "bumping" this, but it's been a week since I posted the Hijack This Log. I wasn't sure whether you were waiting for the Adaware SE log or not, so here it is. Additional information- This annoying infection is still present when XP Media is started in Safe Mode.

Edit by LS CalamityJane: Pasting in log for easier reading


Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, November 09, 2006 8:43:22 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R129 26.10.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):16 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-9-2006 8:43:22 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Robert Grove\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Robert Grove\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\office\11.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\office\11.0\common\open find\microsoft office word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 600
ThreadCreationTime : 11-3-2006 5:42:25 AM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\windows\system32\
ProcessID : 656
ThreadCreationTime : 11-3-2006 5:42:33 AM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\windows\system32\
ProcessID : 684
ThreadCreationTime : 11-3-2006 5:42:34 AM
BasePriority : High


#:4 [services.exe]
FilePath : C:\windows\system32\
ProcessID : 732
ThreadCreationTime : 11-3-2006 5:42:38 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\windows\system32\
ProcessID : 744
ThreadCreationTime : 11-3-2006 5:42:39 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 908
ThreadCreationTime : 11-3-2006 5:42:42 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 1012
ThreadCreationTime : 11-3-2006 5:42:44 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [msmpeng.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 1140
ThreadCreationTime : 11-3-2006 5:42:46 AM
BasePriority : Normal
FileVersion : 1.1.1347.0
ProductVersion : 1.1.1347.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:9 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 1180
ThreadCreationTime : 11-3-2006 5:42:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 1276
ThreadCreationTime : 11-3-2006 5:42:47 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 1432
ThreadCreationTime : 11-3-2006 5:42:49 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ccsetmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1524
ThreadCreationTime : 11-3-2006 5:42:52 AM
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:13 [ccevtmgr.exe]
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 1628
ThreadCreationTime : 11-3-2006 5:43:01 AM
BasePriority : Normal
FileVersion : 103.0.4.3
ProductVersion : 103.0.4.3
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2004 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:14 [spoolsv.exe]
FilePath : C:\windows\system32\
ProcessID : 1780
ThreadCreationTime : 11-3-2006 5:43:02 AM
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [ehsched.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 1900
ThreadCreationTime : 11-3-2006 5:43:09 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Scheduler Service
InternalName : ehSched
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehSched.exe

#:16 [mcdetect.exe]
FilePath : c:\program files\mcafee.com\agent\
ProcessID : 1952
ThreadCreationTime : 11-3-2006 5:43:09 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 19
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee WSC Integration Service
InternalName : McDetect
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McDetect.exe
Comments : McAfee WSC Integration Service

#:17 [mcshield.exe]
FilePath : c:\PROGRA~1\mcafee.com\vso\
ProcessID : 1984
ThreadCreationTime : 11-3-2006 5:43:09 AM
BasePriority : High


#:18 [mctskshd.exe]
FilePath : c:\PROGRA~1\mcafee.com\agent\
ProcessID : 2016
ThreadCreationTime : 11-3-2006 5:43:10 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 13
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee Task Scheduler
InternalName : McTskshd
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : McTskshd.exe

#:19 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\
ProcessID : 332
ThreadCreationTime : 11-3-2006 5:43:18 AM
BasePriority : Normal
FileVersion : 7.00.9466
ProductVersion : 7.00.9466
ProductName : Microsoft® Visual Studio .NET
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : mdm.exe

#:20 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 368
ThreadCreationTime : 11-3-2006 5:43:19 AM
BasePriority : Normal
FileVersion : 7.1.0.113
ProductVersion : 7.1.0.113
ProductName : McAfee Personal Firewall
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MpfService.exe
Comments : McAfee Personal Firewall Service

#:21 [nvsvc32.exe]
FilePath : C:\windows\System32\
ProcessID : 284
ThreadCreationTime : 11-3-2006 5:43:22 AM
BasePriority : Normal
FileVersion : 6.14.10.4528
ProductVersion : 6.14.10.4528
ProductName : NVIDIA Driver Helper Service, Version 45.28
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 45.28
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:22 [ioctlsvc.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 532
ThreadCreationTime : 11-3-2006 5:43:22 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : IoctlSvc Application
CompanyName : Prolific Technology Inc.
FileDescription : PLFlash DeviceIoControl Service
InternalName : IoctlSvc
LegalCopyright : Copyright © 2003 Prolific Technology Inc.
OriginalFilename : IoctlSvc.exe

#:23 [retrorun.exe]
FilePath : C:\PROGRA~1\Dantz\RETROS~1\
ProcessID : 556
ThreadCreationTime : 11-3-2006 5:43:23 AM
BasePriority : Normal
FileVersion : 6.5.342
ProductVersion : 6.5
ProductName : Retrospect
CompanyName : Dantz Development Corporation
FileDescription : Retrospect
InternalName :
LegalCopyright : Copyright Dantz 1989-2003
LegalTrademarks : Dantz® Retrospect®
OriginalFilename : retrorun.exe

#:24 [sonicstagemonitoring.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\WMPlugIn\
ProcessID : 1260
ThreadCreationTime : 11-3-2006 5:43:33 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 09121
ProductVersion : 1, 0, 0, 1
ProductName : SonicStageMonitoring Module
CompanyName : Sony Corporation
FileDescription : SonicStageMonitoring Module
InternalName : SonicStageMonitoring
LegalCopyright : Copyright 2003
OriginalFilename : SonicStageMonitoring.EXE
Comments : Monitoring Service

#:25 [smceman.exe]
FilePath : C:\Program Files\Sony\Sony TV Tuner Library\
ProcessID : 1292
ThreadCreationTime : 11-3-2006 5:43:33 AM
BasePriority : Normal
FileVersion : 1, 0, 0,08131
ProductVersion : 1, 0, 0, 08110
ProductName : Sony TV Tuner Library
CompanyName : Sony Corporation
FileDescription : SMceMan Module
InternalName : SMceMan
LegalCopyright : Copyright 2003 Sony Corp.
OriginalFilename : SMceMan.EXE
Comments : Aug.11 .2003

#:26 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 1324
ThreadCreationTime : 11-3-2006 5:43:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:27 [wdfmgr.exe]
FilePath : C:\windows\system32\
ProcessID : 1652
ThreadCreationTime : 11-3-2006 5:43:37 AM
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: dnsrv(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:28 [sssvr.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Music\
ProcessID : 2076
ThreadCreationTime : 11-3-2006 5:43:39 AM
BasePriority : Normal
FileVersion : 2.6.00.08280
ProductVersion : 2.6.00
ProductName : VAIO Media Music Server
CompanyName : Sony Corporation
FileDescription : VAIO Media Music Server
InternalName : SSSvr
LegalCopyright : Copyright 2002,2003 Sony Corp.
OriginalFilename : SSSvr.exe
Comments : VAIO Media Music Server

#:29 [explorer.exe]
FilePath : C:\windows\
ProcessID : 2084
ThreadCreationTime : 11-3-2006 5:43:39 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:30 [photoappsrv.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\
ProcessID : 2204
ThreadCreationTime : 11-3-2006 5:43:45 AM
BasePriority : Normal


#:31 [gpvsvr.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Video\
ProcessID : 2284
ThreadCreationTime : 11-3-2006 5:43:50 AM
BasePriority : Normal


#:32 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 2368
ThreadCreationTime : 11-3-2006 5:43:56 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:33 [sv_httpd.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\
ProcessID : 2668
ThreadCreationTime : 11-3-2006 5:44:04 AM
BasePriority : Normal
FileVersion : 2.6.00.06090
ProductVersion : 2.6.00.06090
ProductName : SV_Httpd.exe
CompanyName : Sony Corporation
FileDescription : Sony HTTP Server
InternalName : SV_Httpd
LegalCopyright : Copyright 2002, 2003 Sony Corp.
OriginalFilename : SV_Httpd.exe

#:34 [sv_httpd.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\
ProcessID : 2800
ThreadCreationTime : 11-3-2006 5:44:08 AM
BasePriority : Normal
FileVersion : 2.6.00.06090
ProductVersion : 2.6.00.06090
ProductName : SV_Httpd.exe
CompanyName : Sony Corporation
FileDescription : Sony HTTP Server
InternalName : SV_Httpd
LegalCopyright : Copyright 2002, 2003 Sony Corp.
OriginalFilename : SV_Httpd.exe

#:35 [sv_httpd.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\
ProcessID : 2828
ThreadCreationTime : 11-3-2006 5:44:08 AM
BasePriority : Normal
FileVersion : 2.6.00.06090
ProductVersion : 2.6.00.06090
ProductName : SV_Httpd.exe
CompanyName : Sony Corporation
FileDescription : Sony HTTP Server
InternalName : SV_Httpd
LegalCopyright : Copyright 2002, 2003 Sony Corp.
OriginalFilename : SV_Httpd.exe

#:36 [upnpframework.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\
ProcessID : 2940
ThreadCreationTime : 11-3-2006 5:44:10 AM
BasePriority : Normal
FileVersion : 4.0.00.07150
ProductVersion : 4.0.00.07150
ProductName : UPnPFramework.exe
CompanyName : Sony Corporation
FileDescription : Sony UPnP Framework
InternalName : UPnPFramework
LegalCopyright : Copyright 2002,2003 Sony Corp.
OriginalFilename : UPnPFramework.exe

#:37 [isamonitor.exe]
FilePath : C:\Program Files\VideoKeyCodec\
ProcessID : 2964
ThreadCreationTime : 11-3-2006 5:44:10 AM
BasePriority : Normal


#:38 [pmsngr.exe]
FilePath : C:\Program Files\VideoKeyCodec\
ProcessID : 2980
ThreadCreationTime : 11-3-2006 5:44:10 AM
BasePriority : Normal


#:39 [hpgs2wnd.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 3028
ThreadCreationTime : 11-3-2006 5:44:11 AM
BasePriority : Normal
FileVersion : 2,3,0,0\ 162
ProductVersion : 2,3,0,0\ 162
ProductName : Hewlett-Packard hpgs2wnd
CompanyName : Hewlett-Packard
FileDescription : hpgs2wnd
InternalName : hpgs2wnd
LegalCopyright : Copyright © 2001
OriginalFilename : hpgs2wnd.exe

#:40 [upnpframework.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\
ProcessID : 3056
ThreadCreationTime : 11-3-2006 5:44:11 AM
BasePriority : Normal
FileVersion : 4.0.00.07150
ProductVersion : 4.0.00.07150
ProductName : UPnPFramework.exe
CompanyName : Sony Corporation
FileDescription : Sony UPnP Framework
InternalName : UPnPFramework
LegalCopyright : Copyright 2002,2003 Sony Corp.
OriginalFilename : UPnPFramework.exe

#:41 [upnpframework.exe]
FilePath : C:\Program Files\Sony\VAIO Media Integrated Server\Platform\
ProcessID : 3080
ThreadCreationTime : 11-3-2006 5:44:11 AM
BasePriority : Normal
FileVersion : 4.0.00.07150
ProductVersion : 4.0.00.07150
ProductName : UPnPFramework.exe
CompanyName : Sony Corporation
FileDescription : Sony UPnP Framework
InternalName : UPnPFramework
LegalCopyright : Copyright 2002,2003 Sony Corp.
OriginalFilename : UPnPFramework.exe

#:42 [pmmon.exe]
FilePath : C:\Program Files\VideoKeyCodec\
ProcessID : 3156
ThreadCreationTime : 11-3-2006 5:44:12 AM
BasePriority : Normal


#:43 [hphmon04.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3180
ThreadCreationTime : 11-3-2006 5:44:13 AM
BasePriority : Normal
FileVersion : 4,2,41
ProductVersion : 4,2,41
ProductName : hp photosmart
CompanyName : Hewlett-Packard
FileDescription : HPHmon04
InternalName : HPHmon04
LegalCopyright : Copyright © 2001
OriginalFilename : HPHmon04.exe

#:44 [hpztsb07.exe]
FilePath : C:\WINDOWS\System32\spool\drivers\w32x86\3\
ProcessID : 3200
ThreadCreationTime : 11-3-2006 5:44:13 AM
BasePriority : Normal
FileVersion : 2,140,0,0
ProductVersion : 2,140,0,0
ProductName : HP DeskJet
CompanyName : HP
LegalCopyright : Copyright © Hewlett-Packard Company 1999-2002

#:45 [hpgs2wnf.exe]
FilePath : C:\Program Files\Hewlett-Packard\HP Share-to-Web\
ProcessID : 3204
ThreadCreationTime : 11-3-2006 5:44:13 AM
BasePriority : Normal
FileVersion : 2, 6, 0, 162
ProductVersion : 2, 6, 0, 162
ProductName : hpgs2wnf Module
FileDescription : hpgs2wnf Module
InternalName : hpgs2wnf
LegalCopyright : Copyright 2001
OriginalFilename : hpgs2wnf.EXE

#:46 [isamini.exe]
FilePath : C:\Program Files\VideoKeyCodec\
ProcessID : 3216
ThreadCreationTime : 11-3-2006 5:44:13 AM
BasePriority : Normal


#:47 [shotkey.exe]
FilePath : C:\Program Files\SONY\sHotKey\
ProcessID : 3300
ThreadCreationTime : 11-3-2006 5:44:14 AM
BasePriority : Normal


#:48 [ehtray.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 3312
ThreadCreationTime : 11-3-2006 5:44:14 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe

#:49 [agrsmmsg.exe]
FilePath : C:\windows\
ProcessID : 3376
ThreadCreationTime : 11-3-2006 5:44:17 AM
BasePriority : Normal
FileVersion : 2.1.46 2.1.46 07/22/2004 13:38:36
ProductVersion : 2.1.46 2.1.46 07/22/2004 13:38:36
ProductName : Agere SoftModem Messaging Applet
CompanyName : Agere Systems
FileDescription : SoftModem Messaging Applet
InternalName : smdmstat.exe
LegalCopyright : Copyright © Agere Systems 1998-2000
OriginalFilename : smdmstat.exe

#:50 [rm_sv.exe]
FilePath : C:\Program Files\Sony\Sony TV Tuner Library\
ProcessID : 3428
ThreadCreationTime : 11-3-2006 5:44:19 AM
BasePriority : Normal
FileVersion : 5, 5, 0,08131
ProductVersion : 5, 5, 0, 05280
ProductName : Giga Pocket
CompanyName : Sony Corporation
FileDescription : RM_SV Module
InternalName : RM_SV
LegalCopyright : Copyright 2002, 2003 Sony Corp.
OriginalFilename : RM_SV.EXE
Comments : May.28 .2003

#:51 [onebtn.exe]
FilePath : C:\Program Files\Prolific\One Button\
ProcessID : 3568
ThreadCreationTime : 11-3-2006 5:44:27 AM
BasePriority : Normal
FileVersion : 1, 3, 0, 0
ProductVersion : 1, 3, 0, 0
ProductName : OneBtn Application
FileDescription : One Button Launch Application for PL-X507
InternalName : OneBtn
LegalCopyright : Copyright © 2004 Prolific Technology Inc.
OriginalFilename : OneBtn.exe

#:52 [ezsp_px.exe]
FilePath : C:\windows\system32\
ProcessID : 3616
ThreadCreationTime : 11-3-2006 5:44:28 AM
BasePriority : Normal


#:53 [cthelper.exe]
FilePath : C:\windows\system32\
ProcessID : 3628
ThreadCreationTime : 11-3-2006 5:44:28 AM
BasePriority : Normal
FileVersion : 1, 1, 0, 0
ProductVersion : 1, 1, 0, 0
ProductName : CtHelper Application
CompanyName : Creative Technology Ltd
FileDescription : CtHelper MFC Application
InternalName : CtHelper
LegalCopyright : Copyright © 2002
OriginalFilename : CtHelper.EXE

#:54 [tgcmd.exe]
FilePath : C:\program files\support.com\client\bin\
ProcessID : 3640
ThreadCreationTime : 11-3-2006 5:44:29 AM
BasePriority : Normal
FileVersion : 5,5,402,0
ProductVersion : 5,5,402,0
ProductName : Support.com Scheduler and Command Dispatcher
CompanyName : Support.com, Inc.
FileDescription : Support.com Scheduler and Command Dispatcher
InternalName : TGCMD
LegalCopyright : Copyright 1997-2069 Support.com
OriginalFilename : TGCMD.EXE

#:55 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 3676
ThreadCreationTime : 11-3-2006 5:44:32 AM
BasePriority : Normal
FileVersion : 7.1.0.113
ProductVersion : 7.1.0.113
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MPFTRAY.EXE
Comments : Tray Icon for McAfee Personal Firewall

#:56 [mcagent.exe]
FilePath : C:\PROGRA~1\mcafee.com\agent\
ProcessID : 3684
ThreadCreationTime : 11-3-2006 5:44:33 AM
BasePriority : Normal
FileVersion : 6, 0, 0, 16
ProductVersion : 6, 0, 0, 0
ProductName : McAfee SecurityCenter
CompanyName : McAfee, Inc
FileDescription : McAfee SecurityCenter Agent
InternalName : mcagent
LegalCopyright : Copyright © 2005 McAfee, Inc.
OriginalFilename : mcagent.exe

#:57 [mcvsshld.exe]
FilePath : C:\Program Files\McAfee.com\VSO\
ProcessID : 3708
ThreadCreationTime : 11-3-2006 5:44:34 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 22
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan ActiveShield Resource
InternalName : McVsShld
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : McVsShld.exe
Comments : McAfee VirusScan ActiveShield Resource

#:58 [oasclnt.exe]
FilePath : C:\Program Files\McAfee.com\VSO\
ProcessID : 3716
ThreadCreationTime : 11-3-2006 5:44:35 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 24
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan OAS Client
InternalName : OasClnt
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : OasClnt.exe
Comments : McAfee VirusScan OAS Client

#:59 [ssaad.exe]
FilePath : C:\PROGRA~1\Sony\SONICS~1\
ProcessID : 3724
ThreadCreationTime : 11-3-2006 5:44:35 AM
BasePriority : Normal
FileVersion : 3.0.00.13241
FileDescription : SonicStage Atrac Hard Disk Monitor
InternalName : SonicStage Atrac Hard Disk Monitor
LegalCopyright : Copyright 2005 Sony Corporation

#:60 [mscifapp.exe]
FilePath : C:\PROGRA~1\mcafee.com\mps\
ProcessID : 3732
ThreadCreationTime : 11-3-2006 5:44:35 AM
BasePriority : Normal
FileVersion : 8.1.0.136
ProductVersion : 8.1.0.136
ProductName : McAfee Privacy Service
CompanyName : McAfee, Inc.
FileDescription : McAfee Privacy Service
InternalName : mscifapp
LegalCopyright : Copyright © 2005 McAfee, Inc.
All rights reserved
OriginalFilename : mscifapp.exe

#:61 [liveupdate.exe]
FilePath : C:\Program Files\AceGain\LiveUpdate\
ProcessID : 3740
ThreadCreationTime : 11-3-2006 5:44:36 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : AceGain LiveUpdate
FileDescription : AceGain LiveUpdate
InternalName : AceGain LiveUpdate
LegalCopyright : AceGain Inc.
OriginalFilename : utilproxy

#:62 [ituneshelper.exe]
FilePath : C:\Program Files\iTunes\
ProcessID : 3752
ThreadCreationTime : 11-3-2006 5:44:36 AM
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:63 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 3760
ThreadCreationTime : 11-3-2006 5:44:37 AM
BasePriority : Normal
FileVersion : 7.1
ProductVersion : QuickTime 7.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
FileDescription : QuickTime Task
InternalName : QuickTime Task
LegalCopyright : Copyright Apple Computer, Inc. 1989-2006
OriginalFilename : QTTask.exe

#:64 [msascui.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 3768
ThreadCreationTime : 11-3-2006 5:44:38 AM
BasePriority : Normal
FileVersion : 1.1.1347.0
ProductVersion : 1.1.1347.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe

#:65 [ctfmon.exe]
FilePath : C:\windows\system32\
ProcessID : 3944
ThreadCreationTime : 11-3-2006 5:44:40 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:66 [ehmsas.exe]
FilePath : C:\WINDOWS\ehome\
ProcessID : 4012
ThreadCreationTime : 11-3-2006 5:44:41 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe

#:67 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 544
ThreadCreationTime : 11-3-2006 5:44:45 AM
BasePriority : Normal
FileVersion : 5.0.0527
ProductVersion : Version 5.0
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2002
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:68 [mcvsescn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 1488
ThreadCreationTime : 11-3-2006 5:44:47 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 20
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan E-mail Scan Module
InternalName : mcvsescn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsescn.EXE
Comments : McAfee VirusScan E-mail Scan Module

#:69 [ssscsisv.exe]
FilePath : C:\Program Files\Common Files\Sony Shared\AVLib\
ProcessID : 2056
ThreadCreationTime : 11-3-2006 5:44:48 AM
BasePriority : Normal
FileVersion : 3.0.00.13241
ProductVersion : 3.0.00
ProductName : SonicStage
CompanyName : Sony Corporation
FileDescription : SonicStage Scsi I/F Server
InternalName : SSScsiSV
LegalCopyright : Copyright 2005 Sony Corporation
OriginalFilename : SSScsiSV.EXE

#:70 [alg.exe]
FilePath : C:\windows\System32\
ProcessID : 2496
ThreadCreationTime : 11-3-2006 5:44:53 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:71 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ProcessID : 3264
ThreadCreationTime : 11-3-2006 5:44:56 AM
BasePriority : Normal
FileVersion : 6.0.4.2
ProductVersion : 6.0.4.2
ProductName : iTunes
CompanyName : Apple Computer, Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:72 [mcvsftsn.exe]
FilePath : c:\progra~1\mcafee.com\vso\
ProcessID : 2888
ThreadCreationTime : 11-3-2006 5:44:58 AM
BasePriority : Normal
FileVersion : 10, 0, 0, 19
ProductVersion : 10, 0, 0, 0
ProductName : McAfee VirusScan
CompanyName : McAfee, Inc.
FileDescription : McAfee VirusScan Instant Messenger Scan Module
InternalName : mcvsftsn
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : mcvsftsn.EXE
Comments : McAfee VirusScan Instant Messenger Scan Module

#:73 [inboxtogo-watch.exe]
FilePath : C:\Program Files\Palm\
ProcessID : 3488
ThreadCreationTime : 11-3-2006 5:45:00 AM
BasePriority : Normal
FileVersion : 100.00 (124)
ProductVersion : 100.00 (124)
ProductName : DataViz Mail
FileDescription : DataViz Mail System Watchdog
InternalName : inboxtogo-watch.exe
LegalCopyright : Copyright © 1999-2002 DataViz, Inc.
OriginalFilename : inboxtogo-watch.exe

#:74 [inboxtogo-agent.exe]
FilePath : C:\Program Files\Palm\
ProcessID : 2548
ThreadCreationTime : 11-3-2006 5:45:02 AM
BasePriority : Normal
FileVersion : 100.00 (124)
ProductVersion : 100.00 (124)
ProductName : DataViz Mail
FileDescription : DataViz Mail Desktop Agent
InternalName : inboxtogo-agent.exe
LegalCopyright : Copyright © 1999-2002 DataViz, Inc.
OriginalFilename : inboxtogo-agent.exe

#:75 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ProcessID : 4284
ThreadCreationTime : 11-3-2006 5:45:10 AM
BasePriority : Normal
FileVersion : 7.1.0.113
ProductVersion : 7.1.0.113
ProductName : McAfee Personal Firewall (MPF)
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
LegalCopyright : Copyright © 2005 McAfee, Inc. All Rights Reserved.
OriginalFilename : MPFAGENT.EXE
Comments : McAfee Personal Firewall Security Center Module

#:76 [hotsync.exe]
FilePath : C:\Program Files\Palm\
ProcessID : 4304
ThreadCreationTime : 11-3-2006 5:45:11 AM
BasePriority : Normal
FileVersion : 4.0.4
ProductVersion : 4.1.0
ProductName : HotSync® Manager, Palm Desktop
CompanyName : Palm, Inc.
FileDescription : HotSync® Manager Application
InternalName : HotSync®
LegalCopyright : Copyright © 1995-2001 Palm, Inc.
LegalTrademarks : HotSync® is a registered trademark of Palm, Inc.
OriginalFilename : Hotsync.exe

#:77 [taskmgr.exe]
FilePath : C:\windows\system32\
ProcessID : 4400
ThreadCreationTime : 11-3-2006 5:45:14 AM
BasePriority : High
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows TaskManager
InternalName : taskmgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskmgr.exe

#:78 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 4424
ThreadCreationTime : 11-3-2006 5:45:16 AM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:79 [hphipm11.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 5996
ThreadCreationTime : 11-8-2006 4:03:15 PM
BasePriority : Normal
FileVersion : 4, 5, 0, 770
ProductVersion : 4, 5, 0, 770
ProductName : HP PML
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
LegalCopyright : Copyright © 1998, 1999 Hewlett-Packard Company
OriginalFilename : PmlDrv.exe

#:80 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 5500
ThreadCreationTime : 11-10-2006 4:42:58 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Deep scanning and examining files (K:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for K:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16


Scanning Hosts file......
Hosts file location:"C:\windows\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 16




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 16

9:01:46 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:23.781
Objects scanned:239745
Objects identified:0
Objects ignored:0
New critical objects:0


Edit by Admin LS CalamityJane: removed attachment...no longer needed

Edited by LS CalamityJane, 01 March 2007 - 02:11 PM.


#5 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 November 2006 - 12:31 AM

Hi ,

Apologies for the late reply, we've been quite swamped in here as you can probably see.

Are you still needing help?

I'm now subscribed to this topic so I will receive a notice from the board as soon as you reply, so I can be here much more quickly than it has taken to get to your new topic.

If you still need help, please post a fresh HijackThis log so I can see where you are at this point
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#6 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 13 November 2006 - 07:08 PM

Yes!! I still need help and I'll get a fresh log tonight and post it in the morning. Thanks Calamity.

Some new information. I turned off system restore then tried booting from a disaster recovery CD-ROM. The first time I did this, it booted without the toolbar infection. I connected to the internet and updated all my Virus/Spyware definitions. It had so mutilated my McAfee Virus Scan SW that I had to re-install it. Lots of stuff got detected and supposedly cleaned including Puper and Zlob. I then disconnected from the internet, ran a commercial registry mechanic (twice) and then tried booting into safe mode. The infection was back although I seem to have crippled it some. The pop-up windows on the tool bar are still there, but all the annoying sound effects seem to be gone as well as the big fake system message box. I then tried to reboot from the CD, but now the infection is there when I boot from the CD as well as from the hard disk. I'll get fresh hijack-this and Adaware SE logs (with the newer definitions) and post in the morning. Thanks again. The tool-bar pop-up balloon and the new explorer window it opens by itself every few minutes tries to take me to a web-site in austria to sell me removal SW. I suspect these are the folks who created the infection in the first place. The pop-up also wants me to click the "baloon" <SIC>.

#7 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 13 November 2006 - 07:25 PM

Ok, sounds good - I think you made progress :)

Take this tool with you as well, it should take out anything remaining of the Zlob/Smitfraud infection I saw in the prior logs. Ad-Aware updated may also detect it by this time. (There are thousands of new variants of this released every week - very hard for the security programs to keep up with).

This stand-alone free removal tool is developed and kept up to date by a volunteer spyware-researcher in France, goes by the username S!ri, so he usually has the latest Zlob/Smitfraud nasties covered as far as removal goes.

You have the desktop Hijacker from a fake codec as described Here in our September Newsletter.

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files
http://www.lvsonline...tut/index.shtml

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


2. Reboot into Safe Mode
You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

How to start the computer in Safe mode
http://service1.syma...src=sec_doc_nam

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

Logs needed in your next post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Fresh HijackThis log

Warning : running option #2 on a non infected computer will remove your Desktop background.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#8 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 15 November 2006 - 06:57 PM

I think we've made progress :D

The symptoms have changed considerably, but I am still afraid to let it connect to the internet.

Iv'e attached the files.


Edit by Admin LS CalamityJane: removed attachment...no longer needed - see post below

Edited by LS CalamityJane, 01 March 2007 - 02:13 PM.


#9 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 16 November 2006 - 01:55 AM

Let me paste those logs in here for easier review

SmitFraudFix v2.120

Scan done at 22:58:26.48, Tue 11/14/2006
Run from C:\Documents and Settings\Robert Grove\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

...................................
Logfile of HijackThis v1.99.1
Scan saved at 11:11:21 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\windows\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\windows\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\windows\system32\svchost.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\AGRSMMSG.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Prolific\One Button\OneBtn.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\windows\system32\ezSP_Px.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\windows\system32\CTHELPER.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\windows\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\inboxtogo-watch.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Palm\inboxtogo-agent.exe
C:\Program Files\Palm\HOTSYNC.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\windows\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Robert Grove\My Download Update Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {58A21FDD-F219-F4CB-1F41-DF3872489097} - blank (file missing)
O2 - BHO: (no name) - {93376228-DDEF-F04A-B118-FA7AE6C20D97} - blank (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [Prolific_OneButton] C:\Program Files\Prolific\One Button\OneBtn.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\windows\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Mail.lnk = C:\Program Files\Palm\inboxtogo-watch.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.worldnet.att.net
O15 - Trusted Zone: http://www.att.net
O15 - Trusted Zone: http://www.worldnet.att.net
O15 - Trusted Zone: *.oregonstateparks.org
O15 - Trusted Zone: *.reserveamerica.com
O15 - Trusted Zone: *.verizon.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136778960359
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPxySvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#10 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 16 November 2006 - 02:01 AM

Looks good!

Open HijackThis and do a *system scan only*

When it finishes, checkmark these entries, then press the *fix checked* button

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {58A21FDD-F219-F4CB-1F41-DF3872489097} - blank (file missing)

O2 - BHO: (no name) - {93376228-DDEF-F04A-B118-FA7AE6C20D97} - blank (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Let me know if you see any remaining symptoms?
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#11 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 17 November 2006 - 08:08 PM

I think we may have it. :)

After following the last instructions, the symptoms appeared to be gone. I let the computer connect the internet, updated all my virus/malware programs & definitions and rebooted to Safe mode, then ran them all.

They detected one Trojan called fake-alert and some spyware called browseraid and one called movie something. After cleaning these, I rebooted normally and ran them all again. One still detected browseraid and cleaned it.

Then I turned system restore back on.

As of now, none of my virus/malware detection programs is findinging anything and the symptoms of the initial infection are gone.

I've attached a couple of word files with "printscreens" of what this infection looked like in case they are of any help to anyone. Please just delete them if they have no value.

My computer still seems to be very slow, but that may be my imagination. Thank you. Thank you. Thank you.

Please let me know if we are not yet done.

Edit by Admin LS CalamityJane: Attachments removed...no longer needed

Edited by LS CalamityJane, 01 March 2007 - 01:58 PM.


#12 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 17 November 2006 - 10:13 PM

Yes, I know most all of fake alerts used
Screenshots of Desktop Hijack
http://www.dslreports.com/faq/14277

They have a long history.

Browseraid isn't related but the "fake alert" and (movie) are - could that have been "codec"?

You may have gotten this desktop hijack from a fake codec as described Here in our September Newsletter.

Also here:
Beware Fake Codecs - it could be a trojan
http://www.dslreport...remark,17163035
...............................
The slowness you perceive...could be if you are running both Symantec and McAfee AVs at the same time. Your log shows components from both.

Some final cleanup and prevention recomendations follow.

You can go ahead and delete any special tools we used (SmitfraudFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them.

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405
......................
Ad-Aware Plus has realtime protection to prevent infections before they have a chance to a get stronghold on your PC
http://www.lavasoft.com/

Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.


Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.micros...icrosoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.c...-US/default.htm
and Microsoft Security At Home
http://www.microsoft...ty/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#13 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 20 November 2006 - 06:06 PM

Yaaaaaaaaaaaarrrrrrrrrrrrrrrrrrggggggggggg!!

I thought we had it, but as soon as I let it connect to the intenet, they start to come back!!

If I connect for even a minute, just to update definitions- then huntbar comes back. If I connect for a few minutes, then things start to happen - like my commercial registry mechanic looses a .dll and has to be re-installed and all sorts of trojans, malware, and spyware start to get detected. If I clean them all before shutting down, then the horrible toolbar stuff is not present at the next startup, but I don't think the computer is clean yet. Could it be a rootkit?

I had serious problems trying to install an update to the Symantec/Norten stuff you see. The original came installed on the computer and when I tried to update it to 2006, the update didn't de-install the previous components. After spending over 50 hours trying to get it to work and spending lots of time talking to nice folks in India, I gave up and switched. What you see are the Symantec parts that try as I have, I have been unsuccessful at removing or deinstalling.

I'll do the things you suggested, but is there anything else I should try? I'm starting to lose hope.

Thanks again for all the help.

#14 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 22 November 2006 - 06:06 PM

Are you still there? I think I still need help. It isn't gone yet. -Thanks

#15 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 22 November 2006 - 07:01 PM

Hi, yes - still here.

Our email notices of replies wasn't working the day you posted so I missed seeing it. Glad you posted back again.

1. Download this file - combofix.exe
http://download.blee...Bs/combofix.exe

2. Double click on combofix.exe & follow the prompts.

Note: If you receive a popup with a Disclaimer, read that and answer Y for yes (or N for no)
Y is recommended (if you put N, the tool will exit without fixing and will remove the combofix file and folders)


Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you. Post that log in your next reply
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#16 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 24 November 2006 - 07:49 PM

OK, that's done and the logfile follows.

Two additional symptoms that may or may not be related:

1.) Something on the computer changed the icon for the combofix program while I was watching, but not doing anything. The icon turned into a red circle with a white x in it. The program still appears to have run correctly and it did produce a log file.

2.) When I run cleanmgr, it shows that I have 32 Kb in "Webclient/Publisher Temporary" Files. I check the box, it says it is deleting them, but if I run cleanmgr again, they are still there. Does this mean anything to you?

We are almost certain that this infection began immediately after someone using the computer visited "Myspace" and clicked on a link in "Mymusic." I think you are probably correct in your guess that this infestation started with a false codec.

After running combofix, I ran Adaware SE again, and it found 7 new items, but they all seemed to be tracking cookies that it didn't find before. I also pasted that log just it case it tells you something.

Do I dare try letting it connect again, or should I do something else first. Every Virus and Malware program I have runs clean now, but most need new definitions. I did install the Microsoft Security Analyzer you recommended (it has a newer version now), but it needs to connect to the internet so I have not run it yet.

What do I do next? Can I let it connect?

Following is a paste of the combofix log.


Robert Grove - 06-11-23 12:11:13.35 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Robert Grove\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-23 to 2006-11-23 ))))))))))))))))))))))))))))))))))


2006-11-23 11:54 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-23 11:20 13,214,934 --a------ C:\sdat4902.exe
2006-11-19 13:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-19 13:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-19 13:46 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-14 22:58 4,740 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-11 21:59 <DIR> d-------- C:\Program Files\Windows Defender
2006-11-11 21:19 <DIR> d-------- C:\Program Files\Common Files\Scanner
2006-11-11 21:19 <DIR> d-------- C:\Program Files\ComcastToolbar
2006-11-11 21:17 <DIR> d-------- C:\Documents and Settings\Robert Grove\Comcast
2006-11-11 19:11 <DIR> d-------- C:\SDAT
2006-11-02 22:08 <DIR> d-------- C:\Documents and Settings\Robert Grove\Virusbursters info
2006-10-31 21:16 <DIR> d-------- C:\Documents and Settings\Robert Grove\Hijackthis


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-23 12:03 -------- d-------- C:\Program Files\Registry Mechanic
2006-11-22 10:01 -------- d-------- C:\Program Files\Internet Explorer
2006-11-17 17:15 -------- d-------- C:\Program Files\Call of Duty
2006-11-11 21:19 -------- d-a------ C:\Program Files\Common Files
2006-10-13 04:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 04:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 02:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-09-28 17:45 -------- d-------- C:\Program Files\Warcraft III
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\windows\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"HPHUPD04"="\"C:\\Program Files\\HP Photosmart 11\\hphinstall\\UniPatch\\hphupd04.exe\""
"HPHmon04"="C:\\WINDOWS\\System32\\hphmon04.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"VAIO Recovery"="C:\\WINDOWS\\Sonysys\\VAIO Recovery\\PartSeal.exe"
"sHotKey"="\"C:\\Program Files\\SONY\\sHotKey\\sHotKey.exe\""
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ZTgServerSwitch"="\"c:\\program files\\support.com\\client\\bin\\tgcmd.exe\" /server"
"Prolific_OneButton"="C:\\Program Files\\Prolific\\One Button\\OneBtn.exe"
"nwiz"="nwiz.exe /installquiet"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"ezShieldProtector for Px"="C:\\windows\\system32\\ezSP_Px.exe"
"CTHelper"="CTHELPER.EXE"
"tgcmd"="\"c:\\program files\\support.com\\client\\bin\\tgcmd.exe\" /server"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"MPSExe"="c:\\PROGRA~1\\mcafee.com\\mps\\mscifapp.exe /embedding"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"="MIDIDEF.EXE"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"="MIDIDEF.EXE"
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\windows\tasks\HP Usg Login.job
C:\windows\tasks\McAfee.com Scan for Viruses - My Computer (GROVEFAMILY1-Robert Grove).job
C:\windows\tasks\MP Scheduled Scan.job
C:\windows\tasks\Norton AntiVirus - Scan my computer - Robert Grove.job
C:\windows\tasks\Norton AntiVirus - Scan my computer.job
C:\windows\tasks\Registration reminder 1.job
C:\windows\tasks\Registration reminder 2.job
C:\windows\tasks\Registration reminder 3.job

Completion time: 06-11-23 12:13:01.82
C:\ComboFix.txt ... 06-11-23 12:13




Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, November 23, 2006 1:34:53 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R133 16.11.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):10 total references
Tracking Cookie(TAC index:3):7 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-23-2006 1:34:53 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Robert Grove\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Robert Grove\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1910824584-1015912326-465561911-1004\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 160
ThreadCreationTime : 11-23-2006 9:32:28 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\windows\system32\
ProcessID : 208
ThreadCreationTime : 11-23-2006 9:32:54 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\windows\system32\
ProcessID : 232
ThreadCreationTime : 11-23-2006 9:32:55 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\windows\system32\
ProcessID : 276
ThreadCreationTime : 11-23-2006 9:33:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\windows\system32\
ProcessID : 288
ThreadCreationTime : 11-23-2006 9:33:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 452
ThreadCreationTime : 11-23-2006 9:33:04 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 504
ThreadCreationTime : 11-23-2006 9:33:05 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [msmpeng.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 568
ThreadCreationTime : 11-23-2006 9:33:07 PM
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:9 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 632
ThreadCreationTime : 11-23-2006 9:33:08 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [explorer.exe]
FilePath : C:\windows\
ProcessID : 892
ThreadCreationTime : 11-23-2006 9:33:31 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:11 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1140
ThreadCreationTime : 11-23-2006 9:34:30 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@2o7[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@a.as-us.falkag[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@a.as-us.falkag[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@as-us.falkag[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@as-us.falkag[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@live365[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@live365[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@questionmarket[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@questionmarket[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@statcounter[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@statcounter[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : andrew grove@tribalfusion[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Andrew Grove\Cookies\andrew grove@tribalfusion[2].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Deep scanning and examining files (K:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for K:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17


Scanning Hosts file......
Hosts file location:"C:\windows\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 17




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 17

2:02:09 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:27:16.203
Objects scanned:208337
Objects identified:7
Objects ignored:0
New critical objects:7

#17 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 24 November 2006 - 09:03 PM

There are no signs of any new or re-infection at all. Nor are the symptoms you describe

So re:

all sorts of trojans, malware, and spyware start to get detected.

I need to know what is "detecting" these - can you post logs from whatever program is telling you this that will give me some specifics to look at?

1.) Something on the computer changed the icon for the combofix program while I was watching, but not doing anything. The icon turned into a red circle with a white x in it.

The red circle with whiteX in it is the normal logo for ComboFix. Not sure what it was showing before but the redcircle one is correct.

2.) When I run cleanmgr, it shows that I have 32 Kb in "Webclient/Publisher Temporary" Files

Not a problem - explanation is here:
http://www.help2go.c...elete_them.html

Do I dare try letting it connect again, or should I do something else first. Every Virus and Malware program I have runs clean now, but most need new definitions.

Yes. If you get these "detections" again when you connect, get logs for me from whatever is telling you about new malware.

I did install the Microsoft Security Analyzer you recommended (it has a newer version now), but it needs to connect to the internet so I have not run it yet.

Correct. It has to connect to the update servers to work properly so it's worthless running it to analyze until you are connected to the internet.

Let me know how you make out.
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009

#18 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 27 November 2006 - 06:13 PM

I ran several programs including Lavasoft Adaware SE, Mcafee Virus scan, Windows Defender, Spybot S&D, and the spyware detector from the Comcast toolbar. I don't remember what detected what, just that huntbar seemed to come back first. Maybe they are all gone now (I hope). There were I think eight other trojan programs and malware things detected but they may have all been related or multiple locations of the same files. One of them was "virusburst.exe" which I know had been previously deleted. I have since deleted all temporary files, turned off restore and run everything I have in safe mode twice and in regular mode two or three times. Everything seems to be clean now.

I'll try connecting when I get home tonight. I'll check for security updates first, update all my file definitions second, then I'll run the security analyzer, then, if it is still seems clean, I'll upgrade my adaware for the extra protection you recommended.

I'll let you know tomorrow and thanks once more for all the help. I really really appreciate it. Who would have thought 10 years ago that being without internet at home would be like... well like living without a cellphone :-)

#19 iim1rmg

iim1rmg

    Member

  • Members
  • PipPip
  • 12 posts

Posted 28 November 2006 - 05:24 PM

This time, I think we can declare victory. I was able to connect to the internet, download IE 7.0 and associated updates, update all my definitions files and run most of my detection programs last night, and it appears to have remained clean!!!

I also ran the security analyzer you recommended and found that my IE zone settings allowed almost everything! I don't know how they got that way but that certainly may have contributed to the infestation.

Thanks very much for staying with me through this. I'll re-enable system save, and I'll upgrade my Adaware before I use IE for anything and hopefully that will help keep this from recurring.

Now I'm sure that there are several hundred other people who need rescuing and you probably aren't in any immediate danger of becoming bored :-)

Again- many many thanks and best regards:

#20 LS CalamityJane

LS CalamityJane

    Former Lavasoft Staff

  • Members
  • PipPipPip
  • 8814 posts

Posted 28 November 2006 - 09:44 PM

Great! Glad to hear it :)

The malware you had on there may have changed your browser settings to a more vulnerable state, which is one reason I ask our users in cleanup to run that tool to assess the overall security of your system.

Give it a couple of days and if everything is continuing to run ok, let me know and I can then archive this topic :)
Please do NOT send Private Messages to Staff or helpers to request assistance! We do not give a personal support via PM The way to request help is to post a NEW TOPIC in the appropriate forum.

Look for the *New Topic* Button near the top right when viewing the forums.

Here in the forums, replies are posted to topics only. Thank you for your understanding and cooperation!
Plus and Pro Ad-Aware users (only) may use the Support Center for personal assistance:
Support Center


Microsoft MVP/Windows - Security 2003-2009




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users