1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help! AVAST is working non-stop, computer sounds like a jet engine!

Discussion in 'Virus & Other Malware Removal' started by bueno, Jul 13, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    Here's the HJT
    Logfile of HijackThis v1.99.1
    Scan saved at 12:42:26 PM, on 7/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\iTunes-new\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
    C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
    C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Christopher Blunt\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes-new\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ihqhgrsh.exe] C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe" -nag
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [win320961685733432007] C:\WINDOWS\win320961685733432007
    O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\ms0533436168572007.exe ICM001
    O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000219.exe 61A847B5BBF72810329B385473F001F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D1DC7E4638E8323A15806F97BDE4417E70CE7C0726B954E1C2832210339226033AAC
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\nifxobnf.dll",forkonce
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
    O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
    O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\ms0533436168572007.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
    O4 - Global Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Shortcut to AcroTray.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177481128687
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6485984E-7198-4290-A8A0-1746EBD126F5}: NameServer = 192.168.1.1,4.2.2.1
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, bueno :)

    Welcome to TSG.

    Look in your control panel add/remove programs for the following:

    Oin
    outerinfo
    Yazzle by Oin
    Purityscan by Oin
    Snowballwars by Oin
    or anything similar with Oin or Outerinfo in it.
    Zolero
    Tizzletalk
    MediaTickets
    Cowabanga

    Click on it and click remove.

    Download and run the Purityscan uninstaller from Here

    Download ComboFix from Here or Here. to your Desktop.

    Note: In the event you already have Combofix, this is a new version that I need you to download.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Download Superantispyware (SAS)
    1. Install it and double-click the icon on your desktop to run it.
    2. It will ask if you want to update the program definitions, click Yes.
    3. Under Configuration and Preferences, click the Preferences button.
    4. Click the Scanning Control tab.
    5. Under Scanner Options make sure the following are checked:
      • Close browsers before scanning
      • Scan for tracking cookies
      • Terminate memory threats before quarantining.
      • Please leave the others unchecked.
      • Click the Close button to leave the control center screen.
    6. On the main screen, under Scan for Harmful Software click Scan your computer.
    7. On the left check C:\Fixed Drive.
    8. On the right, under Complete Scan, choose Perform Complete Scan.
    9. Click Next to start the scan. Please be patient while it scans your computer.
    10. After the scan is complete a summary box will appear. Click OK.
    11. Make sure everything in the white box has a check next to it, then click Next.
    12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
    13. To retrieve the removal information, please do the following:
      • After reboot, double-click the SUPERAntispyware icon on your desktop.
      • Click Preferences. Click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • It will open in your default text editor (such as Notepad/Wordpad).
      • Please highlight everything in the notepad, then right-click and choose copy.
    14. Click close and close again to exit the program.
    15. Please paste that information in your next reply along with a fresh HijackThis log.
     
  3. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    Hi,

    I didn't have the programs you mentioned in the Add/Remove panel. Combofix seems to have quieted things down a bit. I will run SAS next, here's the combofix logfile.

    2007-07-13 17:35:04 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\afugegpy.dll
    C:\WINDOWS\system32\fhfrhygq.dll
    C:\WINDOWS\system32\gbfidemi.dll
    C:\WINDOWS\system32\nifxobnf.dll
    C:\WINDOWS\system32\riktlcbd.exe
    C:\WINDOWS\system32\vjcladdn.exe
    C:\WINDOWS\system32\qgyhrfhf.ini
    C:\WINDOWS\system32\imedifbg.ini
    C:\WINDOWS\system32\fnboxfin.ini
    C:\WINDOWS\system32\ccbeg.bak1
    C:\WINDOWS\system32\ccbeg.ini
    C:\WINDOWS\system32\jlkkj.bak1
    C:\WINDOWS\system32\jlkkj.tmp
    C:\WINDOWS\system32\lnnmp.bak1
    C:\WINDOWS\system32\lnnmp.ini
    C:\WINDOWS\system32\oqstv.bak1
    C:\WINDOWS\system32\oqstv.ini
    C:\WINDOWS\system32\qstwa.bak1
    C:\WINDOWS\system32\qstwa.ini
    C:\WINDOWS\system32\tttss.bak1
    C:\WINDOWS\system32\tttss.ini
    C:\WINDOWS\system32\uvvwa.bak1
    C:\WINDOWS\system32\uvvwa.ini


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\bold.log
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
    C:\DOCUME~1\CHRIST~1\APPLIC~1.\.rdr.ini
    C:\DOCUME~1\CHRIST~1\APPLIC~1.\winantispyware 2007
    C:\DOCUME~1\CHRIST~1\APPLIC~1.\winantispyware 2007\Logs\update.log
    C:\Documents and Settings\CHRIST~1.\err.log
    C:\Program Files\Common Files\winantispyware 2007
    C:\Program Files\Common Files\winantispyware 2007\err.log
    C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
    C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
    C:\Program Files\poolsv
    C:\Program Files\svhost
    C:\temp\0b9
    C:\temp\0b9\tmpTF.log
    C:\temp\iee
    C:\temp\iee\tmpZTF.log
    C:\temp\tn3
    C:\WINDOWS\crosof~1.net
    C:\WINDOWS\cs_cache.ini
    C:\WINDOWS\notedad.exe
    C:\WINDOWS\poolsv.exe
    C:\WINDOWS\retadpu2000219.exe
    C:\WINDOWS\system32\8_exception.nls
    C:\WINDOWS\system32\atwsettl
    C:\WINDOWS\system32\atwsettl\bg1.gif
    C:\WINDOWS\system32\atwsettl\bgtop.gif
    C:\WINDOWS\system32\atwsettl\bottom1.gif
    C:\WINDOWS\system32\atwsettl\essentials.gif
    C:\WINDOWS\system32\atwsettl\icon1.ico
    C:\WINDOWS\system32\atwsettl\install1.gif
    C:\WINDOWS\system32\atwsettl\left1.gif
    C:\WINDOWS\system32\atwsettl\li.gif
    C:\WINDOWS\system32\atwsettl\logo.gif
    C:\WINDOWS\system32\atwsettl\main.htm
    C:\WINDOWS\system32\atwsettl\mainframe.htm
    C:\WINDOWS\system32\atwsettl\reinstall1.gif
    C:\WINDOWS\system32\atwsettl\right1.gif
    C:\WINDOWS\system32\atwsettl\s1.htm
    C:\WINDOWS\system32\atwsettl\s2.htm
    C:\WINDOWS\system32\atwsettl\s3.htm
    C:\WINDOWS\system32\atwsettl\SMTop1.gif
    C:\WINDOWS\system32\atwsettl\SMTop2.gif
    C:\WINDOWS\system32\atwsettl\SMTop3.gif
    C:\WINDOWS\system32\atwsettl\SMTop4.gif
    C:\WINDOWS\system32\atwsettl\soft1_off.gif
    C:\WINDOWS\system32\atwsettl\soft1_off_ext.gif
    C:\WINDOWS\system32\atwsettl\soft1_on.gif
    C:\WINDOWS\system32\atwsettl\soft1_on_ext.gif
    C:\WINDOWS\system32\atwsettl\soft2_off.gif
    C:\WINDOWS\system32\atwsettl\soft2_off_ext.gif
    C:\WINDOWS\system32\atwsettl\soft2_on.gif
    C:\WINDOWS\system32\atwsettl\soft2_on_ext.gif
    C:\WINDOWS\system32\atwsettl\soft3_off.gif
    C:\WINDOWS\system32\atwsettl\soft3_off_ext.gif
    C:\WINDOWS\system32\atwsettl\soft3_on.gif
    C:\WINDOWS\system32\atwsettl\soft3_on_ext.gif
    C:\WINDOWS\system32\atwsettl\softbottom_off.gif
    C:\WINDOWS\system32\atwsettl\softbottom_on.gif
    C:\WINDOWS\system32\atwsettl\softleft_off.gif
    C:\WINDOWS\system32\atwsettl\softleft_on.gif
    C:\WINDOWS\system32\atwsettl\top1.gif
    C:\WINDOWS\system32\atwsettl\top2.gif
    C:\WINDOWS\system32\atwsettl\turnoff1.gif
    C:\WINDOWS\system32\atwsettl\turnon1.gif
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\explorer.exe
    C:\WINDOWS\system32\iexplorer.dll .dbt
    C:\WINDOWS\system32\mp43.exe
    C:\WINDOWS\system32\o02PrEz
    C:\WINDOWS\system32\o05PrEz
    C:\WINDOWS\system32\S2
    C:\WINDOWS\system32\S2\mwspasrt83122.exe
    C:\WINDOWS\system32\S4
    C:\WINDOWS\system32\S6
    C:\WINDOWS\system32\S7
    C:\WINDOWS\system32\scchk32.exe.bak
    C:\WINDOWS\system32\win
    C:\WINDOWS\win320743616857332007.exe
    C:\WINDOWS\win320961685733432007.exe
    C:\WINDOWS\wr.txt
    C:\WINDOWS\xmlhelper.dll
    C:\WINDOWS\xmlhelper2.dll


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CORE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_RUNTIME
    -------\runtime


    ((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


    2007-07-13 12:47 66,624 --a------ C:\WINDOWS\system32\pgksremn.dll
    2007-07-13 12:47 66,112 --a------ C:\WINDOWS\system32\yhigsvvk.exe
    2007-07-12 15:47 66,624 --a------ C:\WINDOWS\system32\xkojixbq.dll
    2007-07-12 15:44 66,112 --a------ C:\WINDOWS\system32\tfpfjaiv.exe
    2007-07-11 15:55 66,624 --a------ C:\WINDOWS\system32\dsrnaxso.dll
    2007-07-11 15:52 66,112 --a------ C:\WINDOWS\system32\jwckwpjh.exe
    2007-07-10 22:00 7,168 --a------ C:\WINDOWS\avgexg.exe
    2007-07-02 07:29 126,976 --a------ C:\WINDOWS\xhelper.dll
    2007-07-01 23:17 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
    2007-06-29 08:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-06-21 22:43 <DIR> d-------- C:\VundoFix Backups
    2007-06-21 17:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
    2007-06-20 08:13 <DIR> d--h----- C:\WINDOWS\PIF
    2007-06-19 22:28 65,536 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\ihqhgrsh.exe
    2007-06-19 22:27 8,464 --a------ C:\WINDOWS\system32\sporder.dll
    2007-06-19 22:26 14,390 --a------ C:\sysqxva.exe
    2007-06-19 22:26 <DIR> d-------- C:\Temp
    2007-06-18 14:00 21,056 --a------ C:\WINDOWS\system32\KWsrW8uc.exe
    2007-06-16 08:00 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Sauce
    2007-06-15 11:38 192,512 --a------ C:\WINDOWS\j86759.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-13 21:06:36 -------- d-----w C:\Program Files\SUPERAntiSpyware
    2007-07-13 09:12:35 -------- d-----w C:\Program Files\QuickBooks Online Backup
    2007-07-04 01:45:43 22,592 ----a-w C:\WINDOWS\system32\AOL356aj.exe
    2007-06-26 16:00:05 -------- d-----w C:\Program Files\Windows NT
    2007-06-26 08:00:07 -------- d-----w C:\Program Files\MSN Gaming Zone
    2007-06-17 08:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
    2007-06-16 23:11:01 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Hulabee
    2007-06-10 17:41:12 -------- d-----w C:\Program Files\HOTLLAMA Media
    2007-05-31 06:02:53 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\AdobeUM
    2007-05-24 20:02:52 -------- d-----w C:\Program Files\Siber Systems
    2007-05-22 19:21:03 -------- d-----w C:\Program Files\Intuit
    2007-05-22 18:24:32 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Intuit
    2007-05-22 18:24:12 -------- d-----w C:\Program Files\Common Files\supportsoft
    2007-05-22 18:19:18 -------- d-----w C:\Program Files\Common Files\Intuit
    2007-05-22 18:17:33 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
    2007-05-22 18:13:24 -------- d-----w C:\Program Files\MSXML 4.0
    2007-05-21 21:10:43 19,520 ----a-w C:\WINDOWS\system32\LkpHpmkp.exe
    2007-05-21 20:19:31 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\SUPERAntiSpyware.com
    2007-05-21 20:17:44 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-05-19 07:41:06 -------- d-----w C:\Program Files\Spyware Doctor
    2007-05-18 06:30:10 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\PC Tools
    2007-05-14 07:13:27 -------- d-----w C:\Program Files\Audacity
    2007-04-30 17:27:43 1,901 ----a-w C:\WINDOWS\panose.bin
    2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2006-02-22 05:51:36 44,840 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\GDIPFONTCACHEV1.DAT


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15F4D456-5BAA-4076-8486-EECB38CD3E57}]
    2005-03-03 12:36 181328 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
    2005-03-03 12:36 197712 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]
    2005-02-02 19:33 49152 -ra------ C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
    2007-05-24 12:02 5571640 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
    2005-03-03 12:36 238672 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2005-08-11 19:45 1157120 -ra------ c:\program files\google\googletoolbar2.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD995DE5-2A73-4b82-A161-327DD0ECB3A3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
    2005-03-07 14:17 95312 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB167C5D-74E4-4EB4-90D7-CDDC356C0BBD}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-04-13 12:49 C:\WINDOWS\AGRSMMSG.exe]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 17:45 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
    "SoundMan"="SOUNDMAN.EXE" [2004-11-02 14:53 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-11-29 14:00 C:\WINDOWS\ALCWZRD.EXE]
    "Alcmtr"="ALCMTR.EXE" [2004-10-13 16:00 C:\WINDOWS\ALCMTR.EXE]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 07:42]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "iTunesHelper"="C:\Program Files\iTunes-new\iTunesHelper.exe" [2007-04-27 11:25]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "ihqhgrsh.exe"="C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe" [2007-06-19 22:28]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-28 07:48]
    "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-24 12:02]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\Program Files\Windows NT\rteqeprak.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 06:13]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcc]
    C:\WINDOWS\system32\gebcc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomjihe]
    qomjihe.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttt]
    C:\WINDOWS\system32\ssttt.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32]
    winghy32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyywvs]
    xxyywvs.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Usnsvc usnsvc


    Contents of the 'Scheduled Tasks' folder
    2007-07-13 08:00:00 C:\WINDOWS\tasks\At25.job
    2007-07-13 09:00:00 C:\WINDOWS\tasks\At26.job
    2007-07-13 10:00:00 C:\WINDOWS\tasks\At27.job
    2007-07-13 11:00:00 C:\WINDOWS\tasks\At28.job
    2007-07-13 12:00:00 C:\WINDOWS\tasks\At29.job
    2007-07-13 13:00:00 C:\WINDOWS\tasks\At30.job
    2007-07-13 14:00:00 C:\WINDOWS\tasks\At31.job
    2007-07-13 15:00:02 C:\WINDOWS\tasks\At32.job
    2007-07-13 16:00:00 C:\WINDOWS\tasks\At33.job
    2007-07-13 17:00:00 C:\WINDOWS\tasks\At34.job
    2007-07-13 18:00:00 C:\WINDOWS\tasks\At35.job
    2007-07-13 19:00:00 C:\WINDOWS\tasks\At36.job
    2007-07-13 20:00:00 C:\WINDOWS\tasks\At37.job
    2007-07-13 21:00:00 C:\WINDOWS\tasks\At38.job
    2007-07-13 22:00:01 C:\WINDOWS\tasks\At39.job
    2007-07-13 23:00:00 C:\WINDOWS\tasks\At40.job
    2007-07-14 00:00:00 C:\WINDOWS\tasks\At41.job
    2007-07-14 01:00:00 C:\WINDOWS\tasks\At42.job
    2007-07-13 02:00:00 C:\WINDOWS\tasks\At43.job
    2007-07-13 03:00:00 C:\WINDOWS\tasks\At44.job
    2007-07-13 04:00:00 C:\WINDOWS\tasks\At45.job
    2007-07-13 05:00:00 C:\WINDOWS\tasks\At46.job
    2007-07-13 06:00:00 C:\WINDOWS\tasks\At47.job
    2007-07-13 07:00:00 C:\WINDOWS\tasks\At48.job
    2007-07-13 08:00:30 C:\WINDOWS\tasks\At49.job
    2007-07-13 09:00:30 C:\WINDOWS\tasks\At50.job
    2007-07-13 10:00:31 C:\WINDOWS\tasks\At51.job
    2007-07-13 11:00:30 C:\WINDOWS\tasks\At52.job
    2007-07-13 12:00:31 C:\WINDOWS\tasks\At53.job
    2007-07-13 13:00:30 C:\WINDOWS\tasks\At54.job
    2007-07-13 14:00:30 C:\WINDOWS\tasks\At55.job
    2007-07-13 15:00:51 C:\WINDOWS\tasks\At56.job
    2007-07-13 16:00:30 C:\WINDOWS\tasks\At57.job
    2007-07-13 17:00:31 C:\WINDOWS\tasks\At58.job
    2007-07-13 18:00:30 C:\WINDOWS\tasks\At59.job
    2007-07-13 19:00:31 C:\WINDOWS\tasks\At60.job
    2007-07-13 20:00:30 C:\WINDOWS\tasks\At61.job
    2007-07-13 21:05:48 C:\WINDOWS\tasks\At62.job
    2007-07-13 22:00:32 C:\WINDOWS\tasks\At63.job
    2007-07-13 23:00:30 C:\WINDOWS\tasks\At64.job
    2007-07-14 00:08:06 C:\WINDOWS\tasks\At65.job
    2007-07-14 01:00:30 C:\WINDOWS\tasks\At66.job
    2007-07-13 02:00:30 C:\WINDOWS\tasks\At67.job
    2007-07-13 03:00:30 C:\WINDOWS\tasks\At68.job
    2007-07-13 04:00:30 C:\WINDOWS\tasks\At69.job
    2007-07-13 05:00:30 C:\WINDOWS\tasks\At70.job
    2007-07-13 06:00:30 C:\WINDOWS\tasks\At71.job
    2007-07-13 07:00:30 C:\WINDOWS\tasks\At72.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-13 17:41:18
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-13 17:42:27 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-13 17:42
    C:\ComboFix2.txt ... 2007-05-21 11:01

    --- E O F ---
     
  4. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    SAS still working, found a few things. Will post logfile in a few
     
  5. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, bueno :)

    Once the SAS scan is completed, please proceed as follows:
    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as ComboFix-Do.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    [​IMG]

    Once saved, refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.
     
  6. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    It looks like I have a bunch of viruses in my System Volume Information\_Restore folder

    What should I do about that?
     
  7. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    We will take care of that at the end of the session.
     
  8. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    Here's SAS logfile

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/13/2007 at 08:03 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3269
    Trace Rules Database Version: 1280

    Scan type : Complete Scan
    Total Scan Time : 02:09:35

    Memory items scanned : 488
    Memory threats detected : 0
    Registry items scanned : 7175
    Registry threats detected : 1
    File items scanned : 105360
    File threats detected : 70

    Adware.Tracking Cookie
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected]ak[1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][2].txt
    C:\Documents and Settings\Christopher Blunt\cookies\christopher [email protected][1].txt

    Trojan.WinBo32/Enhance
    HKU\S-1-5-21-3834157396-3947329271-1318672447-1006\Software\System\sysuid

    Adware.ClickSpring/Outer Info Network
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER BLUNT\MY DOCUMENTS\MY DOWNLOADS\OIUNINSTALLER.EXE
    C:\WINDOWS\Prefetch\OIUNINSTALLER.EXE-261DACE8.pf

    Trojan.Downloader-Gen/RetAd
    C:\QOOBOX\QUARANTINE\C\WINDOWS\RETADPU2000219.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP69\A0017384.EXE

    Adware.Vundo Variant
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AFUGEGPY.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FHFRHYGQ.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP59\A0011090.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP59\A0011104.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP59\A0011107.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP59\A0011109.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP61\A0011244.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP61\A0011245.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP61\A0011247.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP66\A0015630.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP66\A0015632.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP69\A0017399.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP69\A0017400.DLL
    C:\VUNDOFIX BACKUPS\GCOTIFFX.DLL.BAD
    C:\VUNDOFIX BACKUPS\PULVTIYV.DLL.BAD
    C:\VUNDOFIX BACKUPS\VWUOCTYC.DLL.BAD

    Trojan.Downloader-Gen/AllowCookie
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RIKTLCBD.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP59\A0011105.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP69\A0017403.EXE

    Trojan.Downloader-UltimateFixer
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SCCHK32.EXE.BAK.VIR

    Trojan.Downloader-Gen/TStamp
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VJCLADDN.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP69\A0017404.EXE
     
  9. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    And the new HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 9:27:23 PM, on 7/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes-new\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
    C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Christopher Blunt\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
    O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
    O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BD995DE5-2A73-4b82-A161-327DD0ECB3A3} - (no file)
    O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
    O2 - BHO: (no name) - {EB167C5D-74E4-4EB4-90D7-CDDC356C0BBD} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes-new\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [ihqhgrsh.exe] C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
    O4 - Global Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Shortcut to AcroTray.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177481128687
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6485984E-7198-4290-A8A0-1746EBD126F5}: NameServer = 192.168.1.1,4.2.2.1
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: qomjihe - qomjihe.dll (file missing)
    O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dll (file missing)
    O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
    O20 - Winlogon Notify: xxyywvs - xxyywvs.dll (file missing)
    O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
     
  10. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    And the ComboFix log

    "Christopher Blunt" - 2007-07-13 21:29:08 - ComboFix 07-07-13.8 - Service Pack 2 NTFS
    Command switches used :: C:\Documents and Settings\Christopher Blunt\Desktop\ComboFix-Do.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\bold.log
    C:\Documents and Settings\All Users\Application Data\ihqhgrsh.exe
    C:\WINDOWS\avgexg.exe
    C:\WINDOWS\j86759.exe
    C:\WINDOWS\system32\AOL356aj.exe
    C:\WINDOWS\system32\dsrnaxso.dll
    C:\WINDOWS\system32\jwckwpjh.exe
    C:\WINDOWS\system32\KWsrW8uc.exe
    C:\WINDOWS\system32\pgksremn.dll
    C:\WINDOWS\system32\tfpfjaiv.exe
    C:\WINDOWS\system32\xkojixbq.dll
    C:\WINDOWS\system32\yhigsvvk.exe
    C:\WINDOWS\tasks\At25.job
    C:\WINDOWS\tasks\At26.job
    C:\WINDOWS\tasks\At27.job
    C:\WINDOWS\tasks\At28.job
    C:\WINDOWS\tasks\At29.job
    C:\WINDOWS\tasks\At30.job
    C:\WINDOWS\tasks\At31.job
    C:\WINDOWS\tasks\At32.job
    C:\WINDOWS\tasks\At33.job
    C:\WINDOWS\tasks\At34.job
    C:\WINDOWS\tasks\At35.job
    C:\WINDOWS\tasks\At36.job
    C:\WINDOWS\tasks\At37.job
    C:\WINDOWS\tasks\At38.job
    C:\WINDOWS\tasks\At39.job
    C:\WINDOWS\tasks\At40.job
    C:\WINDOWS\tasks\At41.job
    C:\WINDOWS\tasks\At42.job
    C:\WINDOWS\tasks\At43.job
    C:\WINDOWS\tasks\At44.job
    C:\WINDOWS\tasks\At45.job
    C:\WINDOWS\tasks\At46.job
    C:\WINDOWS\tasks\At47.job
    C:\WINDOWS\tasks\At48.job
    C:\WINDOWS\tasks\At49.job
    C:\WINDOWS\tasks\At50.job
    C:\WINDOWS\tasks\At51.job
    C:\WINDOWS\tasks\At52.job
    C:\WINDOWS\tasks\At53.job
    C:\WINDOWS\tasks\At54.job
    C:\WINDOWS\tasks\At55.job
    C:\WINDOWS\tasks\At56.job
    C:\WINDOWS\tasks\At57.job
    C:\WINDOWS\tasks\At58.job
    C:\WINDOWS\tasks\At59.job
    C:\WINDOWS\tasks\At60.job
    C:\WINDOWS\tasks\At61.job
    C:\WINDOWS\tasks\At62.job
    C:\WINDOWS\tasks\At63.job
    C:\WINDOWS\tasks\At64.job
    C:\WINDOWS\tasks\At65.job
    C:\WINDOWS\tasks\At66.job
    C:\WINDOWS\tasks\At67.job
    C:\WINDOWS\tasks\At68.job
    C:\WINDOWS\tasks\At69.job
    C:\WINDOWS\tasks\At70.job
    C:\WINDOWS\tasks\At71.job
    C:\WINDOWS\tasks\At72.job
    C:\WINDOWS\xhelper.dll


    ((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))


    2007-07-01 23:17 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
    2007-06-29 08:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-06-21 22:43 <DIR> d-------- C:\VundoFix Backups
    2007-06-21 17:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
    2007-06-20 08:13 <DIR> d--h----- C:\WINDOWS\PIF
    2007-06-19 22:27 8,464 --a------ C:\WINDOWS\system32\sporder.dll
    2007-06-19 22:26 <DIR> d-------- C:\Temp
    2007-06-16 08:00 <DIR> d-------- C:\DOCUME~1\CHRIST~1\APPLIC~1\Sauce


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-14 05:23:06 -------- d-----w C:\Program Files\SUPERAntiSpyware
    2007-07-13 09:12:35 -------- d-----w C:\Program Files\QuickBooks Online Backup
    2007-06-26 16:00:05 -------- d-----w C:\Program Files\Windows NT
    2007-06-26 08:00:07 -------- d-----w C:\Program Files\MSN Gaming Zone
    2007-06-17 08:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
    2007-06-16 23:11:01 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Hulabee
    2007-06-10 17:41:12 -------- d-----w C:\Program Files\HOTLLAMA Media
    2007-05-31 06:02:53 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\AdobeUM
    2007-05-24 20:02:52 -------- d-----w C:\Program Files\Siber Systems
    2007-05-22 19:21:03 -------- d-----w C:\Program Files\Intuit
    2007-05-22 18:24:32 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\Intuit
    2007-05-22 18:24:12 -------- d-----w C:\Program Files\Common Files\supportsoft
    2007-05-22 18:19:18 -------- d-----w C:\Program Files\Common Files\Intuit
    2007-05-22 18:17:33 -------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
    2007-05-22 18:13:24 -------- d-----w C:\Program Files\MSXML 4.0
    2007-05-21 21:10:43 19,520 ----a-w C:\WINDOWS\system32\LkpHpmkp.exe
    2007-05-21 20:19:31 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\SUPERAntiSpyware.com
    2007-05-21 20:17:44 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-05-19 07:41:06 -------- d-----w C:\Program Files\Spyware Doctor
    2007-05-18 06:30:10 -------- d-----w C:\DOCUME~1\CHRIST~1\APPLIC~1\PC Tools
    2007-05-14 07:13:27 -------- d-----w C:\Program Files\Audacity
    2007-04-30 17:27:43 1,901 ----a-w C:\WINDOWS\panose.bin
    2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
    2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
    2006-02-22 05:51:36 44,840 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\GDIPFONTCACHEV1.DAT


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15F4D456-5BAA-4076-8486-EECB38CD3E57}]
    2005-03-03 12:36 181328 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{512ACF1B-64D9-4928-B382-A80556F28DB4}]
    2005-03-03 12:36 197712 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]
    2005-02-02 19:33 49152 -ra------ C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
    2007-05-24 12:02 5571640 --a------ C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9579D574-D4D8-4335-9560-FE8641A013BD}]
    2005-03-03 12:36 238672 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2005-08-11 19:45 1157120 -ra------ c:\program files\google\googletoolbar2.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD995DE5-2A73-4b82-A161-327DD0ECB3A3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E713904C-DF05-4C79-BBAD-02DB923253BE}]
    2005-03-07 14:17 95312 --a------ C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB167C5D-74E4-4EB4-90D7-CDDC356C0BBD}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AGRSMMSG"="AGRSMMSG.exe" [2004-04-13 12:49 C:\WINDOWS\AGRSMMSG.exe]
    "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 17:45 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
    "SoundMan"="SOUNDMAN.EXE" [2004-11-02 14:53 C:\WINDOWS\SOUNDMAN.EXE]
    "AlcWzrd"="ALCWZRD.EXE" [2004-11-29 14:00 C:\WINDOWS\ALCWZRD.EXE]
    "Alcmtr"="ALCMTR.EXE" [2004-10-13 16:00 C:\WINDOWS\ALCMTR.EXE]
    "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 07:42]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "iTunesHelper"="C:\Program Files\iTunes-new\iTunesHelper.exe" [2007-04-27 11:25]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-28 07:48]
    "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-24 12:02]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\Program Files\Windows NT\rteqeprak.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 06:13]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Usnsvc usnsvc


    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-13 21:36:53
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-13 21:37:16
    C:\ComboFix-quarantined-files.txt ... 2007-07-13 21:37
    C:\ComboFix2.txt ... 2007-07-13 17:42
    C:\ComboFix3.txt ... 2007-05-21 11:01

    --- E O F ---
     
  11. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    And a post-ComboFix logfile for HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:41:05 PM, on 7/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\iTunes-new\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
    C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Christopher Blunt\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
    O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
    O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {BD995DE5-2A73-4b82-A161-327DD0ECB3A3} - (no file)
    O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
    O2 - BHO: (no name) - {EB167C5D-74E4-4EB4-90D7-CDDC356C0BBD} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes-new\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\OLSysTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
    O4 - Global Startup: QuickBooks Online Backup TaskBar Icon.LNK = C:\Program Files\QuickBooks Online Backup\CBSysTray.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: Shortcut to AcroTray.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177481128687
    O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6485984E-7198-4290-A8A0-1746EBD126F5}: NameServer = 192.168.1.1,4.2.2.1
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\QuickBooks Online Backup\AgentSrv.EXE
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
     
  12. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, bueno :)

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {BD995DE5-2A73-4b82-A161-327DD0ECB3A3} - (no file)
    O2 - BHO: (no name) - {EB167C5D-74E4-4EB4-90D7-CDDC356C0BBD} - (no file)

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    The rest looks clear. How is it doing?
     
  13. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    Everything is working great, thank you.
     
  14. bueno

    bueno Thread Starter

    Joined:
    Apr 25, 2007
    Messages:
    29
    Oh, should I do a system restore now?
     
  15. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, bueno. :)

    Congratulations.[​IMG]

    Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

    Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (Windows XP)

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK..

    Create a Restore point:
    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "After Cleanup", then click Create.

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    Click Here for some advise from our security Experts.

    Best wishes! [​IMG]
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/595380

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice