Solve : Laptop still running slowly - rootkit??

1.	Solve : Laptop still running slowly - rootkit??
Answer» Hey, I realised I had a problem when I attempted to start Windows Vista, but I couldn't get past the 'welcome' screen. The screen hadn't frozen (the loading circle was still spinning) but after waiting for some time it wouldn't start. I ran in safe mode, ran avast and showed I had a rootkit win32:Alureon-CY in my operating memory, so I ran a boot time scan. It supposedly got rid of it, but since my laptop has still been running a lot slower, so I followed your guidelines (which were by far the most useful I could find online - thanks!) and have the copies of the three logs below. Please advise, I'd be extremely grateful for any help! SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 09/18/2009 at 12:35 PM Application Version : 4.28.1010 Core Rules Database Version : 4107 Trace Rules Database Version: 2047 Scan type : Custom Scan Total Scan Time : 17:45:25 Memory items scanned : 965 Memory threats detected : 0 Registry items scanned : 6865 Registry threats detected : 10 File items scanned : 2210718 File threats detected : 2 Trojan.Agent/Gen-Downloader[Packed] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C3D409DF-0316-4FC0-89E2-DBDD885232A0} HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0} HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0} HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\InprocServer32 HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\InprocServer32#ThreadingModel HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\ProgID HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\TypeLib HKCR\glok HKCR\TypeLib\{1ABA6D39-508C-483C-8466-9A9E69BC708F} C:\WINDOWS\SYSTEM32\YXHL0.DLL HKU\S-1-5-21-3356350433-2492298019-641508283-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3D409DF-0316-4FC0-89E2-DBDD885232A0} YXHL0.DLL -------------------- Malwarebytes' Anti-Malware 1.41 Database version: 2819 Windows 6.0.6001 Service Pack 1 18/09/2009 12:58:07 mbam-log-2009-09-18 (12-58-07).txt Scan type: Quick Scan Objects scanned: 84657 Time elapsed: 2 minute(s), 52 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 6 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\kt_bho.KettleBho (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\gasfkybxoqqocc.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Windows\System32\gasfkyvphklrci.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Windows\System32\drivers\gasfkyxxwuqpig.sys (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Windows\System32\gasfkytevcynvs.dat (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\Windows\System32\gasfkyuijvmetw.dat (Rootkit.TDSS) -> Quarantined and deleted successfully. --------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:13:53, on 18/09/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18294) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Windows\system32\taskeng.exe C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Sony\Marketing Tools\MarketingTools.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Sony\Network Utility\LANUtil.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\Sniper.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService.exe O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHCImp.exe O23 - Service: VAIO Media plus Database Manager (SOHDBSvr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDms.exe O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDs.exe O23 - Service: VAIO Media plus Playlist Manager (SOHPlMgr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe O23 - Service: TWAP - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\TWAP.exe (file missing) O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe O23 - Service: VAIO ENTERTAINMENT TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe O23 - Service: VAIO Power Management - Sony Corporation - C:\Program Files\Sony\VAIO Power Management\SPMService.exe O23 - Service: VAIO Content Folder Watcher (VCFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe O23 - Service: WPLJQNI - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\WPLJQNI.exe (file missing) -- End of file - 10599 bytes You've got a fun one... First, do the following... Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices. Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers. Then search for TDSSserv.sys* Let me know if you find this or not. If you do find it, right click on it, and select “Disable”. Do not try to uninstall it. Also if this is found and you disable it, then reboot and see if you can run the other scans that would not run. Then follow these steps... Please print these instructions as they will be needed later when Internet access is not available. Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html When using this tool, you must use the Administrator's account or an account with Administrative rights Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet. Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Open the SDFix folder and double-click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot. Press any Key and it will restart the PC. When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons. Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt. Copy and paste the contents of the results file Report.txt in your next reply. Thanks for looking at the logs and advising - it's appreciated. I tried the first step and searched for TDSSserv.sys but it didn't appear. I the started with the second steps, but when I try to run SDFix.exe in safe mode it just flashes open then closes again. I had a look at the readme, and it suggests that SDFix only works with Windows 2000/XP, but I'm running Vista. Could catchme work instead? Right, I don't use SDFix as often lately, so it slipped my mind that it doesn't work for Vista. Sorry about that. I was holding off on using ComboFix (which includes Catchme), but because you've already put such a large dent in TDSServ, there shouldn't be any conflict. Before following my steps, you may need to disable UAC. If you don't know how to do this, read STEP 2 on this page: http://forums.majorgeeks.com/showthread.php?t=139681 Then download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop. http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double-click combofix.exe and follow the prompts. When finished, ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.OK followed all the steps. Here we go, hopefully we're making some PROGRESS! Combofix log: ComboFix 09-09-18.02 - Andrew 20/09/2009 14:52.1.2 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3038.1809 [GMT 1:00] Running from: c:\users\Andrew\Desktop\ComboFix.exe FW: Outpost Firewall enabled {8A20CA2A-9E02-4A64-923B-0A38208EB7FD} SP: SUPERAntiSpyware disabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-3982674394-68895260-2756340350-500 c:\$recycle.bin\S-1-5-21-769387424-2473901706-93561034-500 . ((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 ))))))))))))))))))))))))))))))) . 2009-09-20 14:02 . 2009-09-20 14:03 -------- d-----w- c:\users\Andrew\AppData\Local\temp 2009-09-20 14:02 . 2009-09-20 14:02 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-09-20 10:00 . 2008-10-16 11:17 -------- d-----w- C:\SDFix 2009-09-19 11:28 . 2009-09-19 11:28 -------- d-----w- C:\Sandbox 2009-09-19 11:25 . 2009-09-19 11:25 -------- d-----w- c:\program files\Sandboxie 2009-09-19 11:21 . 2006-11-30 21:24 86016 ----a-w- c:\windows\system32\custmon32.dll 2009-09-19 11:21 . 2009-09-19 11:21 -------- dc-h--w- c:\programdata\{2A28C3FB-FC79-4677-A128-0D87F28F7084} 2009-09-19 11:21 . 2009-09-19 11:21 -------- d-----w- c:\program files\Capsoft 2009-09-19 11:21 . 2009-09-19 11:21 -------- d-----w- c:\program files\PDF Creator 2009-09-19 00:28 . 2009-04-06 10:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys 2009-09-19 00:27 . 2009-02-10 15:12 307224 ----a-w- c:\windows\system32\drivers\afwcore.sys 2009-09-19 00:25 . 2009-02-18 16:27 29208 ----a-w- c:\windows\system32\drivers\afw.sys 2009-09-19 00:25 . 2009-09-19 00:25 -------- d-----w- c:\program files\Agnitum 2009-09-19 00:24 . 2009-09-19 00:24 -------- d-----w- c:\programdata\Agnitum 2009-09-18 13:13 . 2009-09-20 13:42 -------- d-----w- c:\users\Andrew\Tracing 2009-09-18 12:10 . 2009-09-18 12:10 -------- d-----w- c:\program files\Trend Micro 2009-09-18 11:52 . 2009-09-18 11:52 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes 2009-09-18 11:52 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-18 11:52 . 2009-09-18 11:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-18 11:52 . 2009-09-18 11:52 -------- d-----w- c:\programdata\Malwarebytes 2009-09-18 11:52 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-17 17:37 . 2009-09-17 17:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2009-09-17 17:37 . 2009-09-18 11:42 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-09-17 17:37 . 2009-09-17 17:37 -------- d-----w- c:\users\Andrew\AppData\Roaming\SUPERAntiSpyware.com 2009-09-17 17:36 . 2009-09-17 17:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-09-17 16:15 . 2009-09-17 16:15 -------- d-----w- c:\program files\CCleaner 2009-09-17 15:24 . 2009-09-17 15:24 -------- d-----w- c:\users\Andrew\Pavark 2009-09-17 15:15 . 2009-09-17 15:15 -------- d-----w- c:\users\Andrew\AppData\Roaming\AVG8 2009-09-15 23:41 . 2009-09-15 23:41 -------- d-----w- c:\programdata\ArcSoft 2009-09-15 23:40 . 2009-09-15 23:41 -------- d-----w- c:\users\Andrew\AppData\Roaming\ArcSoft 2009-09-15 19:34 . 2009-09-15 19:37 -------- d-----w- c:\users\Andrew\AppData\Local\Adobe 2009-09-15 14:04 . 2009-09-15 14:04 -------- d-----w- c:\program files\YouTube Downloader 2009-09-15 13:04 . 2009-09-20 12:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM 2009-09-15 13:04 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2009-09-15 13:04 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2009-09-15 13:04 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr 2009-09-15 13:04 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys 2009-09-15 13:04 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2009-09-15 13:03 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe 2009-09-15 13:03 . 2009-08-17 16:05 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys 2009-09-15 13:03 . 2009-09-15 13:03 -------- d-----w- c:\program files\Alwil Software 2009-09-15 13:03 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll 2009-09-15 13:02 . 2009-09-20 13:40 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype 2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----w- c:\program files\Common Files\Skype 2009-09-15 13:02 . 2009-09-15 13:02 -------- d-----r- c:\program files\Skype 2009-09-15 12:59 . 2009-09-15 12:59 -------- d-----w- C:\VAIO Entertainment 2009-09-15 10:36 . 2009-09-15 10:36 -------- d-----w- c:\programdata\Azureus 2009-09-15 10:35 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll 2009-09-15 10:35 . 2009-09-20 11:34 -------- d-----w- c:\users\Andrew\AppData\Roaming\Azureus 2009-09-15 10:35 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll 2009-09-15 10:35 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe 2009-09-15 10:35 . 2008-06-20 01:14 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll 2009-09-15 10:35 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll 2009-09-15 10:35 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll 2009-09-15 10:35 . 2008-06-20 01:14 326160 ----a-w- c:\windows\system32\PresentationHost.exe 2009-09-15 10:34 . 2009-09-15 10:34 -------- d-----w- c:\program files\Vuze 2009-09-15 10:29 . 2008-07-27 18:03 96760 ----a-w- c:\windows\system32\dfshim.dll 2009-09-15 10:29 . 2008-07-27 18:03 282112 ----a-w- c:\windows\system32\mscoree.dll 2009-09-15 10:29 . 2008-07-27 18:03 41984 ----a-w- c:\windows\system32\netfxperf.dll 2009-09-15 10:28 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll 2009-09-15 10:28 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll 2009-09-15 10:26 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll 2009-09-15 10:26 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll 2009-09-15 10:26 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll 2009-09-15 10:26 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll 2009-09-15 10:26 . 2009-04-23 12:42 636928 ----a-w- c:\windows\system32\localspl.dll 2009-09-15 10:26 . 2008-10-22 03:57 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll 2009-09-15 10:26 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll 2009-09-15 10:22 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll 2009-09-15 10:21 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll 2009-09-15 10:16 . 2009-09-19 20:52 -------- d-----w- c:\users\Andrew\AppData\Local\Apple Computer 2009-09-15 10:16 . 2009-09-15 10:18 -------- d-----w- c:\users\Andrew\AppData\Roaming\Apple Computer 2009-09-15 10:16 . 2009-09-15 10:16 -------- dc----w- c:\windows\system32\DRVSTORE 2009-09-15 10:16 . 2009-05-18 13:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-09-15 10:16 . 2008-04-17 12:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll 2009-09-15 10:15 . 2009-09-15 10:15 -------- d-----w- c:\program files\iPod 2009-09-15 10:15 . 2009-09-15 10:16 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2009-09-15 10:15 . 2009-09-15 10:16 -------- d-----w- c:\program files\iTunes 2009-09-15 10:14 . 2009-09-15 10:14 -------- d-----w- c:\program files\Bonjour 2009-09-15 10:13 . 2009-09-15 10:14 -------- d-----w- c:\program files\QuickTime 2009-09-15 10:13 . 2009-09-15 10:15 -------- d-----w- c:\programdata\Apple Computer 2009-09-15 10:12 . 2009-09-15 10:12 -------- d-----w- c:\users\Andrew\AppData\Local\Apple 2009-09-15 10:12 . 2009-09-15 10:12 -------- d-----w- c:\program files\Apple Software Update 2009-09-15 10:10 . 2009-09-15 10:15 -------- d-----w- c:\program files\Common Files\Apple 2009-09-15 10:10 . 2009-09-15 10:10 -------- d-----w- c:\programdata\Apple 2009-09-15 10:04 . 2008-10-16 21:13 1809944 ----a-w- c:\windows\system32\wuaueng.dll 2009-09-15 10:04 . 2008-10-16 21:09 51224 ----a-w- c:\windows\system32\wuauclt.exe 2009-09-15 10:04 . 2008-10-16 21:09 43544 ----a-w- c:\windows\system32\wups2.dll 2009-09-15 10:04 . 2008-10-16 20:56 1524736 ----a-w- c:\windows\system32\wucltux.dll 2009-09-15 10:04 . 2008-10-16 21:12 561688 ----a-w- c:\windows\system32\wuapi.dll 2009-09-15 10:04 . 2008-10-16 21:08 34328 ----a-w- c:\windows\system32\wups.dll 2009-09-15 10:04 . 2008-10-16 20:55 83456 ----a-w- c:\windows\system32\wudriver.dll 2009-09-15 10:04 . 2008-10-16 13:08 162064 ----a-w- c:\windows\system32\wuwebv.dll 2009-09-15 10:04 . 2008-10-16 12:56 31232 ----a-w- c:\windows\system32\wuapp.exe 2009-09-15 09:51 . 2009-09-15 09:51 -------- d-----w- c:\users\Andrew\AppData\Local\Sony_Corporation 2009-09-15 09:51 . 2009-09-15 09:51 -------- d-----w- c:\users\Andrew\AppData\Roaming\ATI 2009-09-15 09:51 . 2009-09-15 09:51 -------- d-----w- c:\users\Andrew\AppData\Local\ATI 2009-09-15 09:51 . 2009-09-15 09:51 -------- d-----w- c:\users\Andrew\AppData\Local\Broadcom 2009-09-15 09:51 . 2009-09-18 23:58 -------- d-----w- c:\users\Andrew\AppData\Local\Google 2009-09-15 09:51 . 2009-09-15 10:40 -------- d-----w- c:\users\Andrew\AppData\Roaming\Sony Corporation 2009-09-15 09:50 . 2009-09-17 15:10 -------- d-----w- c:\users\Andrew\AppData\Local\VirtualStore . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-20 13:40 . 2009-05-15 18:54 12 ----a-w- c:\windows\bthservsdp.dat 2009-09-18 23:59 . 2009-06-17 16:25 -------- d-----w- c:\program files\Google 2009-09-18 12:05 . 2009-05-15 21:18 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-15 15:25 . 2009-05-15 21:17 -------- d-----w- c:\programdata\Sony Corporation 2009-09-15 14:00 . 2009-05-15 21:18 -------- d-----w- c:\program files\Java 2009-09-15 13:52 . 2009-06-17 16:27 -------- d-----w- c:\programdata\McAfee 2009-09-15 13:06 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-09-15 13:04 . 2009-09-15 13:04 56 ---ha-w- c:\programdata\ezsidmv.dat 2009-09-15 13:02 . 2009-06-17 16:44 -------- d-----w- c:\programdata\Skype 2009-09-15 09:49 . 2009-09-15 09:49 0 ---ha-r- c:\windows\system32\drivers\104D_Sony_VGN-NW11SS.mrk 2009-09-15 09:47 . 2009-09-15 09:47 79096 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT 2009-08-28 12:39 . 2009-09-15 10:22 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-28 10:15 . 2009-09-15 10:22 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-14 17:07 . 2009-09-15 10:25 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-08-14 16:29 . 2009-09-15 10:25 104960 ----a-w- c:\windows\system32\netiohlp.dll 2009-08-14 16:29 . 2009-09-15 10:25 17920 ----a-w- c:\windows\system32\netevent.dll 2009-08-14 14:16 . 2009-09-15 10:25 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-08-14 14:16 . 2009-09-15 10:25 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-08-14 14:16 . 2009-09-15 10:25 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-08-14 14:16 . 2009-09-15 10:25 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-08-14 14:16 . 2009-09-15 10:25 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-08-14 14:16 . 2009-09-15 10:25 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-08-14 14:16 . 2009-09-15 10:25 10240 ----a-w- c:\windows\system32\finger.exe 2009-07-18 16:06 . 2009-09-15 10:22 827904 ----a-w- c:\windows\system32\wininet.dll 2009-07-18 16:01 . 2009-09-15 10:22 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-07-18 09:46 . 2009-09-15 10:22 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-07-14 13:00 . 2009-09-15 10:21 313344 ----a-w- c:\windows\system32\wmpdxm.dll 2009-07-14 12:59 . 2009-09-15 10:21 4096 ----a-w- c:\windows\system32\dxmasf.dll 2009-07-14 12:58 . 2009-09-15 10:21 7680 ----a-w- c:\windows\system32\spwmp.dll 2009-07-14 10:59 . 2009-09-15 10:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL 2009-07-11 19:32 . 2009-09-15 10:21 302592 ----a-w- c:\windows\system32\wlansec.dll 2009-07-11 19:32 . 2009-09-15 10:21 293376 ----a-w- c:\windows\system32\wlanmsm.dll 2009-07-11 19:32 . 2009-09-15 10:21 513024 ----a-w- c:\windows\system32\wlansvc.dll 2009-07-11 19:29 . 2009-09-15 10:21 127488 ----a-w- c:\windows\system32\L2SecHC.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not SHOWN REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}] 2009-06-17 16:25 159728 ----a-w- c:\programdata\Partner\partner.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-12-22 274432] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-17 39408] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312] "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-05-28 380416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-06 6703648] "Apoint"="c:\program files\Apoint\Apoint.exe" [2009-04-13 155648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-12-18 317288] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-11 61440] "MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2009-06-17 26624] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-18 149280] "OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464] "OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-2 789032] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2009-01-19 19:49 98304 ----a-w- c:\windows\System32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Agnitum\OUTPOS~1\wl_hook.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] ="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{129514D1-4AC8-4E1F-BDFD-B21A5F0F9BEA}"= UDP:c:\program files\Microsoft OFFICE\Office12\ONENOTE.EXE:Microsoft Office OneNote "{A1F59285-8068-48B7-AE07-A8E62975667B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote "{ABB61563-A40C-4DD4-B816-166008DA01C3}"= c:\program files\Skype\Phone\Skype.exe:Skype "{06B6A460-D768-415D-B42B-3EB47FF36165}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{D23146E0-9C53-41F9-8BF3-060E45152425}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour "{F04AB291-7465-4283-9A83-8CDA902852BF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes "{B27D64D9-5B16-445D-BF86-FB9011C7A75B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes "TCP Query User{2FA59455-1B7B-4BE2-A7FB-20C7878FC43B}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus "UDP Query User{ACEEC3FD-2288-4FC5-939F-CE82CD3CB122}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\afw.sys [19/09/2009 01:25 29208] R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [15/09/2009 14:04 114768] R1 SandBox;SandBox;c:\windows\System32\drivers\SandBox.sys [19/09/2009 01:28 704384] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 14:50 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 14:49 74480] R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [19/09/2009 01:25 1195008] R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [15/09/2009 14:04 20560] R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [15/09/2009 14:03 53328] R2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [17/06/2009 17:59 303104] R2 regi;regi;c:\windows\System32\drivers\regi.sys [18/04/2007 04:09 11032] R2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService.exe [15/05/2009 19:34 109088] R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [17/06/2009 17:26 104960] R2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [15/05/2009 22:18 415592] R2 VCFw;VAIO Content Folder Watcher;c:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [14/01/2009 21:38 5184872] R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [17/06/2009 17:45 394536] R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [21/01/2008 03:23 21504] R3 afwcore;afwcore;c:\windows\System32\drivers\afwcore.sys [19/09/2009 01:27 307224] R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\System32\drivers\ArcSoftKsUFilter.sys [17/06/2009 17:26 17920] R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [15/05/2009 20:07 29736] R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [29/08/2008 07:48 3664384] R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [28/05/2009 14:32 108032] R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [15/05/2009 19:35 9344] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/09/2009 00:58 133104] S3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [17/06/2009 17:25 111088] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 14:50 7408] S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exe [17/06/2009 17:49 120104] S3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [17/06/2009 17:49 70952] S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exe [17/06/2009 17:49 390440] S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exe [17/06/2009 17:49 75048] S3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [17/06/2009 17:49 91432] S3 TWAP;TWAP;c:\users\Andrew\AppData\Local\Temp\TWAP.exe --> c:\users\Andrew\AppData\Local\Temp\TWAP.exe [?] S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [17/06/2009 17:45 83240] S3 WPLJQNI;WPLJQNI;c:\users\Andrew\AppData\Local\Temp\WPLJQNI.exe --> c:\users\Andrew\AppData\Local\Temp\WPLJQNI.exe [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs REG_MULTI_SZ BthServ yksvcs REG_MULTI_SZ yksvc . Contents of the 'Scheduled Tasks' folder 2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 23:58] 2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 23:58] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01 mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=SNYT uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm . - - - - ORPHANS REMOVED - - - - AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-20 15:02 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\users\Andrew\AppData\Local\Temp\catchme.dll 53248 bytes executable scan completed successfully hidden files: 1 ************************************************************************ [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msiserver] "ImagePath"="%systemroot%\system32\msiexec /V" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] Denied: (A 2) (Everyone) ="FlashBroker" "LocalizedString"="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] ="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] ="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] Denied: (A 2) (Everyone) ="IFlashBroker3" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] ="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] ="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] Denied: (A) (Users) Denied: (A) (Everyone) Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 "MSCurrentCountry"=dword:000000b4 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.exe'(3240) c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll . Completion time: 2009-09-20 15:06 ComboFix-quarantined-files.txt 2009-09-20 14:06 Pre-Run: 174,304,403,456 bytes free Post-Run: 174,297,751,552 bytes free 308 --- E O F --- 2009-09-17 10:54 =================== Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:38:34, on 20/09/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18294) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\System32\mobsync.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Sony\Marketing Tools\MarketingTools.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Sony\Network Utility\LANUtil.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\Apvfb.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\Sniper.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe" O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe" O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHCImp.exe O23 - Service: VAIO Media plus Database Manager (SOHDBSvr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDms.exe O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDs.exe O23 - Service: VAIO Media plus Playlist Manager (SOHPlMgr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe O23 - Service: TWAP - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\TWAP.exe (file missing) O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe O23 - Service: VAIO Power Management - Sony Corporation - C:\Program Files\Sony\VAIO Power Management\SPMService.exe O23 - Service: VAIO Content Folder Watcher (VCFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe O23 - Service: WPLJQNI - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\WPLJQNI.exe (file missing) -- End of file - 10895 bytes For the most part, your logs look clean. The only issue I see is with this Partner software from Google. Many people consider it to be spyware and they typically want to remove it. If you would like to do so, open HijackThis and place checkmarks next to the following entries: O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe Close all other windows (except for HijackThis) and click on Fix Checked. That should take care of that. You can then delete the folder C:\ProgramData\Partner* if you wish. Other than that, not much is going on. Are you still having the same problems? It appears that the TDSServ infection is gone, but it can be hard to kill sometimes, so I'd like to know if things are getting any better or not.

Answer»

Hey,

I realised I had a problem when I attempted to start Windows Vista, but I couldn't get past the 'welcome' screen. The screen hadn't frozen (the loading circle was still spinning) but after waiting for some time it wouldn't start. I ran in safe mode, ran avast and showed I had a rootkit win32:Alureon-CY in my operating memory, so I ran a boot time scan.

It supposedly got rid of it, but since my laptop has still been running a lot slower, so I followed your guidelines (which were by far the most useful I could find online - thanks!) and have the copies of the three logs below. Please advise, I'd be extremely grateful for any help!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/18/2009 at 12:35 PM

Application Version : 4.28.1010

Core Rules Database Version : 4107
Trace Rules Database Version: 2047

Scan type : Custom Scan
Total Scan Time : 17:45:25

Memory items scanned : 965
Memory threats detected : 0
Registry items scanned : 6865
Registry threats detected : 10
File items scanned : 2210718
File threats detected : 2

Trojan.Agent/Gen-Downloader[Packed]
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}
   HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}
   HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}
   HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\InprocServer32
   HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\InprocServer32#ThreadingModel
   HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\ProgID
   HKCR\CLSID\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}\TypeLib
   HKCR\glok
   HKCR\TypeLib\{1ABA6D39-508C-483C-8466-9A9E69BC708F}
   C:\WINDOWS\SYSTEM32\YXHL0.DLL
   HKU\S-1-5-21-3356350433-2492298019-641508283-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3D409DF-0316-4FC0-89E2-DBDD885232A0}
   YXHL0.DLL

--------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2819
Windows 6.0.6001 Service Pack 1

18/09/2009 12:58:07
mbam-log-2009-09-18 (12-58-07).txt

Scan type: Quick Scan
Objects scanned: 84657
Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\kt_bho.KettleBho (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gasfkybxoqqocc.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkyvphklrci.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gasfkyxxwuqpig.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkytevcynvs.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\gasfkyuijvmetw.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

---------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:53, on 18/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService.exe
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHCImp.exe
O23 - Service: VAIO Media plus Database Manager (SOHDBSvr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDs.exe
O23 - Service: VAIO Media plus Playlist Manager (SOHPlMgr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe
O23 - Service: TWAP - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\TWAP.exe (file missing)
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
O23 - Service: VAIO ENTERTAINMENT TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Power Management - Sony Corporation - C:\Program Files\Sony\VAIO Power Management\SPMService.exe
O23 - Service: VAIO Content Folder Watcher (VCFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: WPLJQNI - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\WPLJQNI.exe (file missing)

--
End of file - 10599 bytes

You've got a fun one...

First, do the following...
Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
Then search for TDSSserv.sys
Let me know if you find this or not.
If you do find it, right click on it, and select “Disable”. Do not try to uninstall it.
Also if this is found and you disable it, then reboot and see if you can run the other scans that would not run.

Then follow these steps...
Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double-click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished. Press any key to end the script and load your desktop icons.
Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply.

Thanks for looking at the logs and advising - it's appreciated.

I tried the first step and searched for TDSSserv.sys but it didn't appear. I the started with the second steps, but when I try to run SDFix.exe in safe mode it just flashes open then closes again. I had a look at the readme, and it suggests that SDFix only works with Windows 2000/XP, but I'm running Vista.

Could catchme work instead?

Right, I don't use SDFix as often lately, so it slipped my mind that it doesn't work for Vista. Sorry about that. I was holding off on using ComboFix (which includes Catchme), but because you've already put such a large dent in TDSServ, there shouldn't be any conflict.

Before following my steps, you may need to disable UAC. If you don't know how to do this, read STEP 2 on this page:
http://forums.majorgeeks.com/showthread.php?t=139681

Then download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.OK followed all the steps. Here we go, hopefully we're making some PROGRESS!

Combofix log:

ComboFix 09-09-18.02 - Andrew 20/09/2009 14:52.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3038.1809 [GMT 1:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3982674394-68895260-2756340350-500
c:\$recycle.bin\S-1-5-21-769387424-2473901706-93561034-500

.
((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 14:02 . 2009-09-20 14:03   --------   d-----w-   c:\users\Andrew\AppData\Local\temp
2009-09-20 14:02 . 2009-09-20 14:02   --------   d-----w-   c:\users\Default\AppData\Local\temp
2009-09-20 10:00 . 2008-10-16 11:17   --------   d-----w-   C:\SDFix
2009-09-19 11:28 . 2009-09-19 11:28   --------   d-----w-   C:\Sandbox
2009-09-19 11:25 . 2009-09-19 11:25   --------   d-----w-   c:\program files\Sandboxie
2009-09-19 11:21 . 2006-11-30 21:24   86016   ----a-w-   c:\windows\system32\custmon32.dll
2009-09-19 11:21 . 2009-09-19 11:21   --------   dc-h--w-   c:\programdata\{2A28C3FB-FC79-4677-A128-0D87F28F7084}
2009-09-19 11:21 . 2009-09-19 11:21   --------   d-----w-   c:\program files\Capsoft
2009-09-19 11:21 . 2009-09-19 11:21   --------   d-----w-   c:\program files\PDF Creator
2009-09-19 00:28 . 2009-04-06 10:37   704384   ----a-w-   c:\windows\system32\drivers\SandBox.sys
2009-09-19 00:27 . 2009-02-10 15:12   307224   ----a-w-   c:\windows\system32\drivers\afwcore.sys
2009-09-19 00:25 . 2009-02-18 16:27   29208   ----a-w-   c:\windows\system32\drivers\afw.sys
2009-09-19 00:25 . 2009-09-19 00:25   --------   d-----w-   c:\program files\Agnitum
2009-09-19 00:24 . 2009-09-19 00:24   --------   d-----w-   c:\programdata\Agnitum
2009-09-18 13:13 . 2009-09-20 13:42   --------   d-----w-   c:\users\Andrew\Tracing
2009-09-18 12:10 . 2009-09-18 12:10   --------   d-----w-   c:\program files\Trend Micro
2009-09-18 11:52 . 2009-09-18 11:52   --------   d-----w-   c:\users\Andrew\AppData\Roaming\Malwarebytes
2009-09-18 11:52 . 2009-09-10 13:54   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-18 11:52 . 2009-09-18 11:52   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-09-18 11:52 . 2009-09-18 11:52   --------   d-----w-   c:\programdata\Malwarebytes
2009-09-18 11:52 . 2009-09-10 13:53   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-09-17 17:37 . 2009-09-17 17:37   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2009-09-17 17:37 . 2009-09-18 11:42   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-09-17 17:37 . 2009-09-17 17:37   --------   d-----w-   c:\users\Andrew\AppData\Roaming\SUPERAntiSpyware.com
2009-09-17 17:36 . 2009-09-17 17:36   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-09-17 16:15 . 2009-09-17 16:15   --------   d-----w-   c:\program files\CCleaner
2009-09-17 15:24 . 2009-09-17 15:24   --------   d-----w-   c:\users\Andrew\Pavark
2009-09-17 15:15 . 2009-09-17 15:15   --------   d-----w-   c:\users\Andrew\AppData\Roaming\AVG8
2009-09-15 23:41 . 2009-09-15 23:41   --------   d-----w-   c:\programdata\ArcSoft
2009-09-15 23:40 . 2009-09-15 23:41   --------   d-----w-   c:\users\Andrew\AppData\Roaming\ArcSoft
2009-09-15 19:34 . 2009-09-15 19:37   --------   d-----w-   c:\users\Andrew\AppData\Local\Adobe
2009-09-15 14:04 . 2009-09-15 14:04   --------   d-----w-   c:\program files\YouTube Downloader
2009-09-15 13:04 . 2009-09-20 12:33   --------   d-----w-   c:\users\Andrew\AppData\Roaming\skypePM
2009-09-15 13:04 . 2009-08-17 16:04   51376   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2009-09-15 13:04 . 2009-08-17 16:04   23152   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2009-09-15 13:04 . 2009-08-17 16:02   97480   ----a-w-   c:\windows\system32\AvastSS.scr
2009-09-15 13:04 . 2009-08-17 16:05   114768   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2009-09-15 13:04 . 2009-08-17 16:05   20560   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 13:03 . 2009-08-17 16:10   1279456   ----a-w-   c:\windows\system32\aswBoot.exe
2009-09-15 13:03 . 2009-08-17 16:05   53328   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2009-09-15 13:03 . 2009-09-15 13:03   --------   d-----w-   c:\program files\Alwil Software
2009-09-15 13:03 . 2009-06-22 10:22   2048   ----a-w-   c:\windows\system32\tzres.dll
2009-09-15 13:02 . 2009-09-20 13:40   --------   d-----w-   c:\users\Andrew\AppData\Roaming\Skype
2009-09-15 13:02 . 2009-09-15 13:02   --------   d-----w-   c:\program files\Common Files\Skype
2009-09-15 13:02 . 2009-09-15 13:02   --------   d-----r-   c:\program files\Skype
2009-09-15 12:59 . 2009-09-15 12:59   --------   d-----w-   C:\VAIO Entertainment
2009-09-15 10:36 . 2009-09-15 10:36   --------   d-----w-   c:\programdata\Azureus
2009-09-15 10:35 . 2008-06-20 01:14   97800   ----a-w-   c:\windows\system32\infocardapi.dll
2009-09-15 10:35 . 2009-09-20 11:34   --------   d-----w-   c:\users\Andrew\AppData\Roaming\Azureus
2009-09-15 10:35 . 2008-06-20 01:14   105016   ----a-w-   c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-09-15 10:35 . 2008-06-20 01:14   622080   ----a-w-   c:\windows\system32\icardagt.exe
2009-09-15 10:35 . 2008-06-20 01:14   43544   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2009-09-15 10:35 . 2008-06-20 01:14   11264   ----a-w-   c:\windows\system32\icardres.dll
2009-09-15 10:35 . 2008-06-20 01:14   781344   ----a-w-   c:\windows\system32\PresentationNative_v0300.dll
2009-09-15 10:35 . 2008-06-20 01:14   326160   ----a-w-   c:\windows\system32\PresentationHost.exe
2009-09-15 10:34 . 2009-09-15 10:34   --------   d-----w-   c:\program files\Vuze
2009-09-15 10:29 . 2008-07-27 18:03   96760   ----a-w-   c:\windows\system32\dfshim.dll
2009-09-15 10:29 . 2008-07-27 18:03   282112   ----a-w-   c:\windows\system32\mscoree.dll
2009-09-15 10:29 . 2008-07-27 18:03   41984   ----a-w-   c:\windows\system32\netfxperf.dll
2009-09-15 10:28 . 2008-07-27 18:03   158720   ----a-w-   c:\windows\system32\mscorier.dll
2009-09-15 10:28 . 2008-07-27 18:03   83968   ----a-w-   c:\windows\system32\mscories.dll
2009-09-15 10:26 . 2009-06-15 15:24   156672   ----a-w-   c:\windows\system32\t2embed.dll
2009-09-15 10:26 . 2009-06-15 15:20   72704   ----a-w-   c:\windows\system32\fontsub.dll
2009-09-15 10:26 . 2009-06-15 15:20   10240   ----a-w-   c:\windows\system32\dciman32.dll
2009-09-15 10:26 . 2009-06-15 12:52   289792   ----a-w-   c:\windows\system32\atmfd.dll
2009-09-15 10:26 . 2009-04-23 12:42   636928   ----a-w-   c:\windows\system32\localspl.dll
2009-09-15 10:26 . 2008-10-22 03:57   241152   ----a-w-   c:\windows\system32\PortableDeviceApi.dll
2009-09-15 10:26 . 2009-04-23 12:43   784896   ----a-w-   c:\windows\system32\rpcrt4.dll
2009-09-15 10:22 . 2009-04-30 12:37   428544   ----a-w-   c:\windows\system32\EncDec.dll
2009-09-15 10:21 . 2009-07-17 14:35   71680   ----a-w-   c:\windows\system32\atl.dll
2009-09-15 10:16 . 2009-09-19 20:52   --------   d-----w-   c:\users\Andrew\AppData\Local\Apple Computer
2009-09-15 10:16 . 2009-09-15 10:18   --------   d-----w-   c:\users\Andrew\AppData\Roaming\Apple Computer
2009-09-15 10:16 . 2009-09-15 10:16   --------   dc----w-   c:\windows\system32\DRVSTORE
2009-09-15 10:16 . 2009-05-18 13:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-09-15 10:16 . 2008-04-17 12:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-09-15 10:15 . 2009-09-15 10:15   --------   d-----w-   c:\program files\iPod
2009-09-15 10:15 . 2009-09-15 10:16   --------   d-----w-   c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-15 10:15 . 2009-09-15 10:16   --------   d-----w-   c:\program files\iTunes
2009-09-15 10:14 . 2009-09-15 10:14   --------   d-----w-   c:\program files\Bonjour
2009-09-15 10:13 . 2009-09-15 10:14   --------   d-----w-   c:\program files\QuickTime
2009-09-15 10:13 . 2009-09-15 10:15   --------   d-----w-   c:\programdata\Apple Computer
2009-09-15 10:12 . 2009-09-15 10:12   --------   d-----w-   c:\users\Andrew\AppData\Local\Apple
2009-09-15 10:12 . 2009-09-15 10:12   --------   d-----w-   c:\program files\Apple Software Update
2009-09-15 10:10 . 2009-09-15 10:15   --------   d-----w-   c:\program files\Common Files\Apple
2009-09-15 10:10 . 2009-09-15 10:10   --------   d-----w-   c:\programdata\Apple
2009-09-15 10:04 . 2008-10-16 21:13   1809944   ----a-w-   c:\windows\system32\wuaueng.dll
2009-09-15 10:04 . 2008-10-16 21:09   51224   ----a-w-   c:\windows\system32\wuauclt.exe
2009-09-15 10:04 . 2008-10-16 21:09   43544   ----a-w-   c:\windows\system32\wups2.dll
2009-09-15 10:04 . 2008-10-16 20:56   1524736   ----a-w-   c:\windows\system32\wucltux.dll
2009-09-15 10:04 . 2008-10-16 21:12   561688   ----a-w-   c:\windows\system32\wuapi.dll
2009-09-15 10:04 . 2008-10-16 21:08   34328   ----a-w-   c:\windows\system32\wups.dll
2009-09-15 10:04 . 2008-10-16 20:55   83456   ----a-w-   c:\windows\system32\wudriver.dll
2009-09-15 10:04 . 2008-10-16 13:08   162064   ----a-w-   c:\windows\system32\wuwebv.dll
2009-09-15 10:04 . 2008-10-16 12:56   31232   ----a-w-   c:\windows\system32\wuapp.exe
2009-09-15 09:51 . 2009-09-15 09:51   --------   d-----w-   c:\users\Andrew\AppData\Local\Sony_Corporation
2009-09-15 09:51 . 2009-09-15 09:51   --------   d-----w-   c:\users\Andrew\AppData\Roaming\ATI
2009-09-15 09:51 . 2009-09-15 09:51   --------   d-----w-   c:\users\Andrew\AppData\Local\ATI
2009-09-15 09:51 . 2009-09-15 09:51   --------   d-----w-   c:\users\Andrew\AppData\Local\Broadcom
2009-09-15 09:51 . 2009-09-18 23:58   --------   d-----w-   c:\users\Andrew\AppData\Local\Google
2009-09-15 09:51 . 2009-09-15 10:40   --------   d-----w-   c:\users\Andrew\AppData\Roaming\Sony Corporation
2009-09-15 09:50 . 2009-09-17 15:10   --------   d-----w-   c:\users\Andrew\AppData\Local\VirtualStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 13:40 . 2009-05-15 18:54   12   ----a-w-   c:\windows\bthservsdp.dat
2009-09-18 23:59 . 2009-06-17 16:25   --------   d-----w-   c:\program files\Google
2009-09-18 12:05 . 2009-05-15 21:18   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-09-15 15:25 . 2009-05-15 21:17   --------   d-----w-   c:\programdata\Sony Corporation
2009-09-15 14:00 . 2009-05-15 21:18   --------   d-----w-   c:\program files\Java
2009-09-15 13:52 . 2009-06-17 16:27   --------   d-----w-   c:\programdata\McAfee
2009-09-15 13:06 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2009-09-15 13:04 . 2009-09-15 13:04   56   ---ha-w-   c:\programdata\ezsidmv.dat
2009-09-15 13:02 . 2009-06-17 16:44   --------   d-----w-   c:\programdata\Skype
2009-09-15 09:49 . 2009-09-15 09:49   0   ---ha-r-   c:\windows\system32\drivers\104D_Sony_VGN-NW11SS.mrk
2009-09-15 09:47 . 2009-09-15 09:47   79096   ----a-w-   c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-28 12:39 . 2009-09-15 10:22   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-15 10:22   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-14 17:07 . 2009-09-15 10:25   897608   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-15 10:25   104960   ----a-w-   c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-15 10:25   17920   ----a-w-   c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-15 10:25   9728   ----a-w-   c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-15 10:25   17920   ----a-w-   c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-15 10:25   11264   ----a-w-   c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-15 10:25   27136   ----a-w-   c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-15 10:25   19968   ----a-w-   c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-15 10:25   8704   ----a-w-   c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-15 10:25   10240   ----a-w-   c:\windows\system32\finger.exe
2009-07-18 16:06 . 2009-09-15 10:22   827904   ----a-w-   c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-09-15 10:22   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-09-15 10:22   26624   ----a-w-   c:\windows\system32\ieUnatt.exe
2009-07-14 13:00 . 2009-09-15 10:21   313344   ----a-w-   c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-09-15 10:21   4096   ----a-w-   c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-09-15 10:21   7680   ----a-w-   c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-09-15 10:21   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-15 10:21   302592   ----a-w-   c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-15 10:21   293376   ----a-w-   c:\windows\system32\wlanmsm.dll
2009-07-11 19:32 . 2009-09-15 10:21   513024   ----a-w-   c:\windows\system32\wlansvc.dll
2009-07-11 19:29 . 2009-09-15 10:21   127488   ----a-w-   c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not SHOWN
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4}]
2009-06-17 16:25   159728   ----a-w-   c:\programdata\Partner\partner.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2008-12-22 274432]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-17 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2009-05-28 380416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-01-06 6703648]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2009-04-13 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-12-03 35184]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-12-18 317288]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-11 61440]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe" [2009-06-17 26624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-08 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-18 149280]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-3-2 789032]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2009-01-19 19:49   98304   ----a-w-   c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Agnitum\OUTPOS~1\wl_hook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{129514D1-4AC8-4E1F-BDFD-B21A5F0F9BEA}"= UDP:c:\program files\Microsoft OFFICE\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A1F59285-8068-48B7-AE07-A8E62975667B}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{ABB61563-A40C-4DD4-B816-166008DA01C3}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{06B6A460-D768-415D-B42B-3EB47FF36165}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D23146E0-9C53-41F9-8BF3-060E45152425}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{F04AB291-7465-4283-9A83-8CDA902852BF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B27D64D9-5B16-445D-BF86-FB9011C7A75B}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{2FA59455-1B7B-4BE2-A7FB-20C7878FC43B}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{ACEEC3FD-2288-4FC5-939F-CE82CD3CB122}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus

R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\afw.sys [19/09/2009 01:25 29208]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [15/09/2009 14:04 114768]
R1 SandBox;SandBox;c:\windows\System32\drivers\SandBox.sys [19/09/2009 01:28 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 14:50 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 14:49 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [19/09/2009 01:25 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [15/09/2009 14:04 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [15/09/2009 14:03 53328]
R2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [17/06/2009 17:59 303104]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [18/04/2007 04:09 11032]
R2 RtkAudioService;Realtek Audio Service;c:\program files\Realtek\Audio\HDA\RtkAudioService.exe [15/05/2009 19:34 109088]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [17/06/2009 17:26 104960]
R2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [15/05/2009 22:18 415592]
R2 VCFw;VAIO Content Folder Watcher;c:\program files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [14/01/2009 21:38 5184872]
R2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [17/06/2009 17:45 394536]
R2 yksvc;Marvell Yukon Service;c:\windows\System32\svchost.exe -k yksvcs [21/01/2008 03:23 21504]
R3 afwcore;afwcore;c:\windows\System32\drivers\afwcore.sys [19/09/2009 01:27 307224]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\System32\drivers\ArcSoftKsUFilter.sys [17/06/2009 17:26 17920]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [15/05/2009 20:07 29736]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [29/08/2008 07:48 3664384]
R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [28/05/2009 14:32 108032]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [15/05/2009 19:35 9344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [19/09/2009 00:58 133104]
S3 Partner Service;Partner Service;c:\programdata\Partner\partner.exe [17/06/2009 17:25 111088]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 14:50 7408]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Common Files\Sony Shared\SOHLib\SOHCImp.exe [17/06/2009 17:49 120104]
S3 SOHDBSvr;VAIO Media plus Database Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe [17/06/2009 17:49 70952]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Common Files\Sony Shared\SOHLib\SOHDms.exe [17/06/2009 17:49 390440]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Common Files\Sony Shared\SOHLib\SOHDs.exe [17/06/2009 17:49 75048]
S3 SOHPlMgr;VAIO Media plus Playlist Manager;c:\program files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe [17/06/2009 17:49 91432]
S3 TWAP;TWAP;c:\users\Andrew\AppData\Local\Temp\TWAP.exe --> c:\users\Andrew\AppData\Local\Temp\TWAP.exe [?]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [17/06/2009 17:45 83240]
S3 WPLJQNI;WPLJQNI;c:\users\Andrew\AppData\Local\Temp\WPLJQNI.exe --> c:\users\Andrew\AppData\Local\Temp\WPLJQNI.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   REG_MULTI_SZ     BthServ
yksvcs   REG_MULTI_SZ     yksvc
.
Contents of the 'Scheduled Tasks' folder

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 23:58]

2009-09-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=EU01
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNYT&bmod=SNYT
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 15:02
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\Andrew\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
Denied: (A 2) (Everyone)
="FlashBroker"
"LocalizedString"="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
Denied: (A 2) (Everyone)
="IFlashBroker3"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
Denied: (A) (Users)
Denied: (A) (Everyone)
Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3240)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
.
Completion time: 2009-09-20 15:06
ComboFix-quarantined-files.txt 2009-09-20 14:06

Pre-Run: 174,304,403,456 bytes free
Post-Run: 174,297,751,552 bytes free

308   --- E O F ---   2009-09-17 10:54

===================

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38:34, on 20/09/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [MarketingTools] C:\Program Files\Sony\Marketing Tools\MarketingTools.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKCU\..\Run: [NSUFloatingUI] "C:\Program Files\Sony\Network Utility\LANUtil.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NSUService - Sony Corporation - C:\Program Files\Sony\Network Utility\NSUService.exe
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Program Files\Realtek\Audio\HDA\RtkAudioService.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHCImp.exe
O23 - Service: VAIO Media plus Database Manager (SOHDBSvr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDBSvr.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHDs.exe
O23 - Service: VAIO Media plus Playlist Manager (SOHPlMgr) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\SOHLib\SOHPlMgr.exe
O23 - Service: TWAP - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\TWAP.exe (file missing)
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Power Management - Sony Corporation - C:\Program Files\Sony\VAIO Power Management\SPMService.exe
O23 - Service: VAIO Content Folder Watcher (VCFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: WPLJQNI - Unknown owner - C:\Users\Andrew\AppData\Local\Temp\WPLJQNI.exe (file missing)

--
End of file - 10895 bytes

For the most part, your logs look clean. The only issue I see is with this Partner software from Google. Many people consider it to be spyware and they typically want to remove it. If you would like to do so, open HijackThis and place checkmarks next to the following entries:
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe

Close all other windows (except for HijackThis) and click on Fix Checked. That should take care of that. You can then delete the folder C:\ProgramData\Partner if you wish.

Other than that, not much is going on. Are you still having the same problems? It appears that the TDSServ infection is gone, but it can be hard to kill sometimes, so I'd like to know if things are getting any better or not.

Solve : Laptop still running slowly - rootkit??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment