Submit Your Article Forum Rules FAQ About Us
Search the forums:

Tech Support Team

Join Now!Nav Seperator FAQNav Seperator GalleryNav Seperator TutorialsNav Seperator BlogNav Seperator SearchNav Seperator Today's PostsNav Seperator Mark Forums ReadNav Seperator Navigation Right

Hello and Welcome to Tech Support Team! Before you can start posting and answering questions, you'll have to register. Registration is fast, simple and absolutely free! Feel free to browse through existing questions by choosing the forum you want to visit below.


Tech Support Team » Malware Removal & Security » Malware Removal » Need help with trojans

Notices
Before creating a new thread, we ask that you please read our Removal guide first: Malware Removal Guide - Read Before Posting. We also advise you reading this thread before continuing: P2P programs - please remove before posting for help

NOTE: NEVER follow someone elses fix. Just because the symptoms may appear to be the same, it does NOT mean your system has the same malware infection. ALWAYS start a new thread so that a member of our Security Team can take you through the steps of cleaning your computer.

Reply
Page 2 of 3 < 1 2 3 >
Thread Tools
 
  #21 (permalink)   Top
Old 3rd July 2009, 04:31 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
Need your help again... got the fake anti virus trojan again. looks like anti malware caught a lot of stuff here the logs.


SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 07/02/2009 at 00:40 AM

Application Version : 4.26.1006

Core Rules Database Version : 3966
Trace Rules Database Version: 1906

Scan type : Complete Scan
Total Scan Time : 01:19:54

Memory items scanned : 553
Memory threats detected : 0
Registry items scanned : 6205
Registry threats detected : 0
File items scanned : 95016
File threats detected : 3

Trojan.Agent/Gen
C:\Program Files\DRV

Trojan.Agent/Gen-FraudDrop
C:\DOCUMENTS AND SETTINGS\CHUCK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\3Z3PCOIJ\FB.49[1].EXE

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\CHUCK\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OHVGYDPO\NAVCANCL[1]


Malwarebytes' Anti-Malware 1.36
Database version: 2149
Windows 5.1.2600 Service Pack 3

7/1/2009 10:56:25 PM
mbam-log-2009-07-01 (22-56-25).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 175056
Time elapsed: 51 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\lowriskfiletypes (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\sysldtray (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\freddy49.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\ld11.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:35 PM, on 7/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F 1.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\146e619a-a9a7-40ab-ae13-57b9e5762ac7.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL\AOL Search Enhancement\AOLSearch.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 Antivirus System PRO Powerfull PC Protection
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F 1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1239237559578
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardware ResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 10745 bytes
Reply With Quote
  #22 (permalink)   Top
Old 3rd July 2009, 04:54 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

----------

Download Rooter.exe to your desktop

* Double click Rooter.exe to start the tool.* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at %systemdrive%\Rooter.txt (Where %systemdrive% is usually C: or the drive that you have Windows installed).
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #23 (permalink)   Top
Old 4th July 2009, 06:51 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
thanks again!


DDS (Ver_09-06-26.01) - NTFSx86
Run by CHUCK at 23:43:45.17 on Fri 07/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.537 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F 1.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\CHUCK\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2F 1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ado beg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ado ber~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239237559578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chuck\applic~1\mozilla\firefox\profile s\8ehdyjug.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [2009-5-10 28544]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-21 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-21 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-21 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgn tflt.sys [2009-5-15 55640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-14 1245064]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21 sony.sys [2006-8-10 226304]
S1 drvdrv;drvdrv;\??\c:\program files\drv\drv.sys --> c:\program files\drv\drv.sys [?]
S2 drv;drv;c:\windows\system32\svchost.exe -k drv [2006-8-10 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]

=============== Created Last 30 ================

2009-07-01 22:14 1 ----h--- c:\windows\bf23567.dat
2009-07-01 21:14 2 a------- c:\windows\010112010146118114.dat
2009-06-09 19:23 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 19:23 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-01-23 22:36 47,360 a------- c:\docume~1\chuck\applic~1\pcouffin.sys
2008-12-27 04:52 229,376 a------- c:\documents and settings\chuck\cwshredder.dll
2008-09-03 22:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080 904\index.dat

============= FINISH: 23:44:32.96 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/19/2007 9:36:37 PM
System Uptime: 7/3/2009 11:29:24 PM (0 hours ago)

Motherboard: Sony Corporation | | VAIO
Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | N/A | 1312/167mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 105 GiB total, 9.207 GiB free.
D: is Removable
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96A-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 82801G (ICH7 Family) Ultra ATA Storage Controllers - 27DF
Device ID: PCI\VEN_8086&DEV_27DF&SUBSYS_820F104D&REV_02\3&B1B FB68&0&F9
Manufacturer: Intel
Name: Intel(R) 82801G (ICH7 Family) Ultra ATA Storage Controllers - 27DF
PNP Device ID: PCI\VEN_8086&DEV_27DF&SUBSYS_820F104D&REV_02\3&B1B FB68&0&F9
Service: pciide

==== System Restore Points ===================

RP1: 5/22/2009 1:13:57 PM - System Checkpoint
RP2: 5/22/2009 6:17:02 PM - Installed Java(TM) 6 Update 13
RP3: 5/22/2009 6:55:05 PM - Installed QuickTime
RP4: 5/22/2009 7:00:26 PM - Software Distribution Service 3.0
RP5: 5/22/2009 7:06:23 PM - Software Distribution Service 3.0
RP6: 5/22/2009 7:35:38 PM - Software Distribution Service 3.0
RP7: 5/23/2009 10:28:32 PM - System Checkpoint
RP8: 5/26/2009 6:25:24 PM - System Checkpoint
RP9: 5/27/2009 9:05:11 PM - System Checkpoint
RP10: 5/31/2009 9:24:41 PM - System Checkpoint
RP11: 6/2/2009 7:47:53 PM - System Checkpoint
RP12: 6/3/2009 9:38:09 PM - System Checkpoint
RP13: 6/6/2009 12:56:01 AM - System Checkpoint
RP14: 6/8/2009 1:42:29 AM - System Checkpoint
RP15: 6/9/2009 7:28:01 PM - Software Distribution Service 3.0
RP16: 6/9/2009 7:41:58 PM - Installed Java(TM) 6 Update 14
RP17: 6/15/2009 2:43:43 AM - System Checkpoint
RP18: 6/16/2009 5:21:10 PM - System Checkpoint
RP19: 6/17/2009 10:51:45 PM - System Checkpoint
RP20: 6/19/2009 7:18:43 PM - System Checkpoint
RP21: 6/21/2009 11:47:42 PM - System Checkpoint
RP22: 6/24/2009 3:06:47 AM - System Checkpoint
RP23: 6/25/2009 10:37:15 PM - System Checkpoint
RP24: 6/29/2009 10:09:54 PM - System Checkpoint
RP25: 7/1/2009 1:46:56 PM - System Checkpoint
RP26: 7/2/2009 8:55:51 PM - System Checkpoint

==== Installed Programs ======================


Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Ahead Nero Burning ROM
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avira AntiVir Personal - Free Antivirus
CCleaner (remove only)
Click to DVD 2.0.03 Menu Data
Click to DVD 2.5.30
Click to DVD Tutorial
Cool Edit Pro 2.0
Critical Update for Windows Media Player 11 (KB959772)
DISCover
DivX Codec
DivX Converter
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.1.0.0
DVgate Plus
Enigma
EPSON Printer Software
EZdrummer
FL Studio 5
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Image Converter 2 Plus
ImageStation
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
InterVideo WinDVD for VAIO
ISScript
iTunes
Java(TM) 6 Update 14
Java(TM) 6 Update 7
JEOPARDY! (remove only)
LAN Setting Utility
Live 5.0.1
Logitech Harmony Remote Software 7
MA_CMIDI
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Malwarebytes' Anti-Malware
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
mMHouse
MoviePod
Mozilla Firefox (3.0.11)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
Napster
Napster Burn Engine
Office 2003 Trial Assistant
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Metadata Extractor for Windows Media Player
OpenMG Secure Module 4.5.01
OpenOffice.org Installer 1.0
Panda ActiveScan 2.0
PS3 Theme Creator
PS3 Video 9 2.25
PSP Video 9 2.25
Quicken 2006
QuickTime
Realtek High Definition Audio Driver
Reason 3.0.4
Remote Control USB Driver
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
Search Enhancement by AOL Search
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Setting Utility Series
Soft Data Fax Modem with SmartCP
Sonic Encoders
Sonic Foundry ACID 4.0
SonicStage 4.0
Sony Certificate PCH
Sony MP4 Shared Library
Sony Utilities DLL
Sony Video Shared Library
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
The Da Vinci Code (remove only)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VAIO Backup Utility
VAIO Breeze Wallpaper
VAIO Central
VAIO Entertainment Platform
VAIO Event Service
VAIO Hardware Diagnostics
VAIO Light Flo Wallpaper
VAIO Media 5.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 5.0
VAIO Media Redistribution 5.0
VAIO Media Registration Tool 5.0
VAIO Media Tutorial
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
VAIO Power Management
VAIO Registration
VAIO Security Center
VAIO Support Central
VAIO Update 2
VAIO Wireless LAN Setup Utility
VAIOSurveySA
WD Diagnostics
WebFldrs XP
Wheel of Fortune (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
Wireless Switch Setting Utility

==== Event Viewer Messages From Past Week ========

7/1/2009 9:15:01 PM, error: Service Control Manager [7023] - The drv service terminated with the following error: The specified module could not be found.
7/1/2009 9:15:01 PM, error: Service Control Manager [7000] - The drvdrv service failed to start due to the following error: The system cannot find the file specified.
7/1/2009 11:10:33 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
6/28/2009 10:52:15 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.

==== End Of File ===========================



Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 6, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.11 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:104 Go - Free:9 Go )
D:\ [Removable]
F:\ [Removable]
.
Scan : 23:47.23
Path : C:\Documents and Settings\CHUCK\Desktop\Rooter.exe
User : CHUCK ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (800)
______ \??\C:\WINDOWS\system32\csrss.exe (872)
______ \??\C:\WINDOWS\system32\winlogon.exe (900)
______ C:\WINDOWS\system32\services.exe (944)
______ C:\WINDOWS\system32\lsass.exe (956)
______ C:\WINDOWS\system32\svchost.exe (1144)
______ C:\WINDOWS\system32\svchost.exe (1220)
______ C:\WINDOWS\System32\svchost.exe (1260)
______ C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (1312)
______ C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (1452)
______ C:\WINDOWS\system32\svchost.exe (1576)
______ C:\WINDOWS\system32\svchost.exe (1628)
______ C:\WINDOWS\system32\spoolsv.exe (1812)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (1888)
______ C:\WINDOWS\system32\svchost.exe (1928)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (188)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (200)
______ C:\WINDOWS\eHome\ehRecvr.exe (260)
______ C:\WINDOWS\eHome\ehSched.exe (312)
______ C:\WINDOWS\System32\svchost.exe (400)
______ C:\Program Files\Java\jre6\bin\jqs.exe (480)
______ C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe (532)
______ C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (632)
______ C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe (784)
______ C:\WINDOWS\system32\svchost.exe (1088)
______ C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (1364)
______ C:\Program Files\Sony\VAIO Event Service\VESMgr.exe (1512)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (1572)
______ C:\WINDOWS\ehome\mcrdsvc.exe (1748)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (620)
______ C:\WINDOWS\system32\igfxext.exe (712)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (764)
______ C:\WINDOWS\system32\igfxsrvc.exe (1160)
______ C:\Program Files\Windows Media Player\WMPNetwk.exe (696)
______ C:\WINDOWS\System32\alg.exe (2592)
______ C:\WINDOWS\Explorer.EXE (3816)
______ C:\WINDOWS\system32\hkcmd.exe (3964)
______ C:\WINDOWS\system32\igfxpers.exe (3976)
______ C:\Program Files\Apoint\Apoint.exe (4080)
______ C:\WINDOWS\ehome\ehtray.exe (184)
______ C:\Program Files\Sony\ISB Utility\ISBMgr.exe (2168)
______ C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe (2264)
______ C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (2384)
______ C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe (2436)
______ C:\Program Files\iTunes\iTunesHelper.exe (2500)
______ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F 1.EXE (2564)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (2700)
______ C:\WINDOWS\eHome\ehmsas.exe (2800)
______ C:\Program Files\Java\jre6\bin\jusched.exe (2808)
______ C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe (2948)
______ C:\Program Files\Apoint\Apntex.exe (3000)
______ C:\Program Files\Windows Media Player\WMPNSCFG.exe (3008)
______ C:\Program Files\iPod\bin\iPodService.exe (3452)
______ C:\WINDOWS\system32\svchost.exe (2540)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3064)
______ C:\Documents and Settings\CHUCK\Desktop\Rooter.exe (3800)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:7517873664)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:7517905920 | Length:112513605120)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 23:47.45
.
C:\Rooter$\Rooter_1.txt - (03/07/2009 | 23:47.45)
Reply With Quote
  #24 (permalink)   Top
Old 4th July 2009, 04:17 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Download and run the new version of JavaRA.

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the Desktop

----------

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.
  • Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
  • Once open Click Next
  • Accept the license agreement and click Next
  • Type in the letters/numbers that you see into the text box then click Next.
  • Then click Next and the tool will start running.
  • Once finished restart the PC.
  • Delete the 'Norton_Removal_Tool' from your desktop.


----------

Download HostsXpert
  • Unzip HostXpert to your Desktop
  • Open up the HostXpert program.
  • Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
  • Click Create Back Up
  • Then click on Restore Microsoft's Host Files
  • Close the HostXpert program


Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #25 (permalink)   Top
Old 4th July 2009, 11:15 PM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
ComboFix 09-07-04.04 - CHUCK 07/04/2009 15:53.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.616 [GMT -7:00]
Running from: c:\documents and settings\CHUCK\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2134493953
c:\windows\010112010146118114.dat
c:\windows\Installer\13d491.msi
c:\windows\Installer\63fc0.msi
c:\windows\Installer\6bdfd.msi
c:\windows\Installer\c244b.msi
c:\windows\Installer\e6727.msi
c:\windows\Installer\WinRMSrv.msi
c:\windows\kb913800.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRV
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 22:57 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-04 22:31 . 2009-07-04 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-04 06:47 . 2009-07-04 06:47 -------- d-----w- C:\Rooter$
2009-07-02 05:14 . 2009-07-02 05:14 1 ---h--w- c:\windows\bf23567.dat
2009-06-10 02:41 . 2009-06-10 02:41 152576 ----a-w- c:\documents and settings\CHUCK\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 02:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 02:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-06 08:11 . 2009-06-06 08:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-04 22:45 . 2009-03-19 01:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-04 22:34 . 2006-09-14 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-04 22:34 . 2006-09-14 20:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-03 03:37 . 2009-05-18 22:36 117760 ----a-w- c:\documents and settings\CHUCK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-07-03 03:37 . 2009-05-18 22:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 23:49 . 2007-07-20 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-10 02:42 . 2006-08-10 09:13 -------- d-----w- c:\program files\Java
2009-05-23 02:58 . 2006-09-14 20:29 43464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 02:21 . 2009-05-23 02:21 -------- d-----w- c:\program files\MSBuild
2009-05-23 02:21 . 2009-05-23 02:21 -------- d-----w- c:\program files\Reference Assemblies
2009-05-23 01:56 . 2009-05-23 01:55 -------- d-----w- c:\program files\QuickTime
2009-05-23 01:54 . 2009-05-23 01:54 -------- d-----w- c:\program files\Apple Software Update
2009-05-23 01:50 . 2007-01-20 08:46 -------- d-----w- c:\documents and settings\CHUCK\Application Data\AdobeUM
2009-05-23 01:16 . 2009-05-23 01:16 152576 ----a-w- c:\documents and settings\CHUCK\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-21 20:31 . 2009-05-11 02:10 -------- d-----w- c:\program files\SpywareBlaster
2009-05-21 18:33 . 2008-12-08 07:16 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-21 07:17 . 2009-05-21 07:17 -------- d-----w- c:\program files\Avira
2009-05-21 07:17 . 2009-05-21 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-19 03:09 . 2006-09-14 20:19 -------- d-----w- c:\program files\Trend Micro
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w- c:\documents and settings\CHUCK\Application Data\SUPERAntiSpyware.com
2009-05-18 22:34 . 2009-05-18 22:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-18 21:22 . 2009-05-18 21:22 -------- d-----w- c:\program files\CCleaner
2009-05-13 05:15 . 2006-08-10 07:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 05:18 . 2009-05-11 05:18 -------- d-----w- c:\program files\Panda Security
2009-05-11 02:38 . 2009-04-09 00:50 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-11 02:13 . 2009-03-31 23:32 -------- d-----w- c:\program files\Trojan Guarder Gold Version
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w- c:\documents and settings\CHUCK\Application Data\Malwarebytes
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-10 10:17 . 2006-08-10 07:32 -------- d-----w- c:\program files\Common Files\Mozilla Shared
2009-05-07 15:32 . 2006-08-10 07:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2006-08-10 07:32 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-08-10 07:32 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 22:32 . 2009-05-10 23:39 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-05-10 23:39 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.e xe" [2006-05-08 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"NeroCheck"="c:\windows\system32\NeroCheck.exe " [2003-07-13 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2F1.EXE" [2003-06-04 99840]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"8085:TCP"= 8085:TCP:drv

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [5/10/2009 10:19 PM 28544]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 12:17 AM 108289]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21 sony.sys [8/10/2006 12:33 AM 226304]
S1 drvdrv;drvdrv;\??\c:\program files\drv\drv.sys --> c:\program files\drv\drv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\CHUCK\Application Data\Mozilla\Firefox\Profiles\8ehdyjug.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-04 15:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-07-04 16:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 23:05
ComboFix2.txt 2009-05-21 03:18

Pre-Run: 14,039,044,096 bytes free
Post-Run: 14,239,248,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windo ws XP Media Center Edition" /noexecute=optin /fastdetect

233 --- E O F --- 2009-06-10 02:31
Reply With Quote
  #26 (permalink)   Top
Old 5th July 2009, 05:12 AM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Well this is a sticky bugger!

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:
Comment:

Drivers to delete:
drvdrv

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost | drv
* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

----------

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

Driver::
pavboot
drvdrv

Folder::
c:\program files\drv
 
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
 
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"=-
"5000:UDP"=-
"8085:TCP"=-
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #27 (permalink)   Top
Old 5th July 2009, 05:58 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
Logfile of The Avenger Version 2.0, (c) by Swandog46
Swandog46's Public Anti-Malware Tools

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "drvdrv" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost|drv" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



ComboFix 09-07-04.04 - CHUCK 07/04/2009 22:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.618 [GMT -7:00]
Running from: c:\documents and settings\CHUCK\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CHUCK\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PAVBOOT
-------\Service_pavboot


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-04 22:57 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 22:57 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-04 22:31 . 2009-07-04 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-04 06:47 . 2009-07-04 06:47 -------- d-----w- C:\Rooter$
2009-07-02 05:14 . 2009-07-02 05:14 1 ---h--w- c:\windows\bf23567.dat
2009-06-10 02:41 . 2009-06-10 02:41 152576 ----a-w- c:\documents and settings\CHUCK\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 02:23 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 02:23 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-06 08:11 . 2009-06-06 08:11 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-07-04 22:45 . 2009-03-19 01:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-04 22:34 . 2006-09-14 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-04 22:34 . 2006-09-14 20:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-03 03:37 . 2009-05-18 22:36 117760 ----a-w- c:\documents and settings\CHUCK\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-07-03 03:37 . 2009-05-18 22:36 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-16 23:49 . 2007-07-20 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-10 02:42 . 2006-08-10 09:13 -------- d-----w- c:\program files\Java
2009-05-23 02:58 . 2006-09-14 20:29 43464 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 02:21 . 2009-05-23 02:21 -------- d-----w- c:\program files\MSBuild
2009-05-23 02:21 . 2009-05-23 02:21 -------- d-----w- c:\program files\Reference Assemblies
2009-05-23 01:56 . 2009-05-23 01:55 -------- d-----w- c:\program files\QuickTime
2009-05-23 01:54 . 2009-05-23 01:54 -------- d-----w- c:\program files\Apple Software Update
2009-05-23 01:50 . 2007-01-20 08:46 -------- d-----w- c:\documents and settings\CHUCK\Application Data\AdobeUM
2009-05-23 01:16 . 2009-05-23 01:16 152576 ----a-w- c:\documents and settings\CHUCK\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-21 20:31 . 2009-05-11 02:10 -------- d-----w- c:\program files\SpywareBlaster
2009-05-21 18:33 . 2008-12-08 07:16 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-21 07:17 . 2009-05-21 07:17 -------- d-----w- c:\program files\Avira
2009-05-21 07:17 . 2009-05-21 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-05-19 03:09 . 2006-09-14 20:19 -------- d-----w- c:\program files\Trend Micro
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-18 22:36 . 2009-05-18 22:36 -------- d-----w- c:\documents and settings\CHUCK\Application Data\SUPERAntiSpyware.com
2009-05-18 22:34 . 2009-05-18 22:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-18 21:22 . 2009-05-18 21:22 -------- d-----w- c:\program files\CCleaner
2009-05-13 05:15 . 2006-08-10 07:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 05:18 . 2009-05-11 05:18 -------- d-----w- c:\program files\Panda Security
2009-05-11 02:38 . 2009-04-09 00:50 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-11 02:13 . 2009-03-31 23:32 -------- d-----w- c:\program files\Trojan Guarder Gold Version
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w- c:\documents and settings\CHUCK\Application Data\Malwarebytes
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-10 23:39 . 2009-05-10 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-10 10:17 . 2006-08-10 07:32 -------- d-----w- c:\program files\Common Files\Mozilla Shared
2009-05-07 15:32 . 2006-08-10 07:32 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2006-08-10 07:32 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-08-10 07:32 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 22:32 . 2009-05-10 23:39 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-05-10 23:39 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-07-04_23.01.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 05:49 . 2009-07-05 05:49 16384 c:\windows\temp\Perflib_Perfdata_11c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.e xe" [2006-05-08 81920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-27 217088]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"NeroCheck"="c:\windows\system32\NeroCheck.exe " [2003-07-13 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\ 3\E_S4I2F1.EXE" [2003-06-04 99840]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-17 2879488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-1-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 23:11 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
"midi2"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"8085:TCP"= 8085:TCP:drv

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/21/2009 12:17 AM 108289]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21 sony.sys [8/10/2006 12:33 AM 226304]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\CHUCK\Application Data\Mozilla\Firefox\Profiles\8ehdyjug.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-07-04 22:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S AVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\S NDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\igfxext.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2009-07-05 22:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-05 05:55
ComboFix2.txt 2009-07-04 23:05
ComboFix3.txt 2009-05-21 03:18

Pre-Run: 14,219,898,880 bytes free
Post-Run: 14,204,682,240 bytes free

215 --- E O F --- 2009-06-10 02:31
Reply With Quote
  #28 (permalink)   Top
Old 5th July 2009, 06:15 AM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
That got the one I was worried most about.

But there are a few still left.

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:
:Processes
explorer.exe

:reg
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"=-
"5000:UDP"=-
"8085:TCP"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

:Commands
[purity]
[emptytemp]
[start explorer]
* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

----------

Before or after posting the OTM log...

Please scan your computer with Panda ActiveScan

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #29 (permalink)   Top
Old 6th July 2009, 05:23 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
Thank You my friend!!!!

Just to let you know when i was running active scan Avira caught a trojan. I have a feeling like there is a port open. please let me know what you think.

here the logs

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\paramet ers\firewallpolicy\standardprofile\GloballyOpenPor ts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\paramet ers\firewallpolicy\standardprofile\GloballyOpenPor ts\List not found.
Registry key HKEY_LOCAL_MACHINE\~\services\sharedaccess\paramet ers\firewallpolicy\standardprofile\GloballyOpenPor ts\List not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall\ deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: CHUCK
->Temp folder emptied: 790 bytes
->Temporary Internet Files folder emptied: 783754 bytes
->Java cache emptied: 8112358 bytes
->FireFox cache emptied: 78305989 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 65670 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 65536 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 3124241 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 86.32 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07052009_004217

Files moved on Reboot...

Registry entries deleted on Reboot...



;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-07-05 22:12:01
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 2
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AntiVir Desktop 9.0.1.30 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP27\A0002405.sys
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP25\A0001953.sys
01675833 Trj/SMSlock.C Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP27\A0002412.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP27\A0002451.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP26\A0002334.sys
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location j
;================================================= ================================================== ================================================== ==============================
No C:\Program Files\Internet Explorer\IEXPLORE.EXE__ j
No C:\System Volume Information\_restore{2FF74256-477D-4B01-939A-D41C1BBFE2C6}\RP17\A0001542.exe j
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description j
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
Reply With Quote
  #30 (permalink)   Top
Old 6th July 2009, 04:47 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
See if you can find this file please.

Code:
C:\Program Files\Internet Explorer\IEXPLORE.EXE__ j
If so then upload it to VirusTotal and post the link to the results back here. VirusTotal.com
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #31 (permalink)   Top
Old 6th July 2009, 08:41 PM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
cant find the one with _j, the original is there but not that one
Reply With Quote
  #32 (permalink)   Top
Old 6th July 2009, 09:28 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
It has an unknown character at the end so I can't tell what the entire file path is.

Is this a Chinese or Japanese version of Windows?
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #33 (permalink)   Top
Old 7th July 2009, 01:39 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
Im still looking for the file. how would i know what version it is?
Reply With Quote
  #34 (permalink)   Top
Old 7th July 2009, 01:44 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
Found it! is this what u want to look at?


File RunnerExe.exe received on 2009.06.10 18:50:51 (UTC)
Current status: finished
Result: 2/38 (5.26%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 5.0.0.2 2009.06.10 -
AntiVir 7.9.0.183 2009.06.10 -
Antiy-AVL 2.0.3.1 2009.06.10 -
Authentium 5.1.2.4 2009.06.10 -
Avast 4.8.1335.0 2009.06.09 -
AVG 8.5.0.339 2009.06.10 -
BitDefender 7.2 2009.06.10 -
CAT-QuickHeal 10.00 2009.06.10 -
ClamAV 0.94.1 2009.06.10 -
Comodo 1306 2009.06.10 -
DrWeb 5.0.0.12182 2009.06.10 -
eSafe 7.0.17.0 2009.06.10 -
eTrust-Vet 31.6.6551 2009.06.10 -
F-Prot 4.4.4.56 2009.06.10 -
F-Secure 8.0.14470.0 2009.06.10 -
Fortinet 3.117.0.0 2009.06.10 -
GData 19 2009.06.10 -
Ikarus T3.1.1.59.0 2009.06.10 -
K7AntiVirus 7.10.760 2009.06.10 -
Kaspersky 7.0.0.125 2009.06.10 -
McAfee 5642 2009.06.10 -
McAfee+Artemis 5642 2009.06.10 -
McAfee-GW-Edition 6.7.6 2009.06.10 -
Microsoft 1.4701 2009.06.10 -
NOD32 4145 2009.06.10 -
Norman 6.01.09 2009.06.10 -
nProtect 2009.1.8.0 2009.06.10 -
Panda 10.0.0.14 2009.06.10 Suspicious file
PCTools 4.4.2.0 2009.06.10 -
Prevx 3.0 2009.06.10 -
Rising 21.33.24.00 2009.06.10 -
Sophos 4.42.0 2009.06.10 -
Sunbelt 3.2.1858.2 2009.06.10 -
Symantec 1.4.4.12 2009.06.10 -
TheHacker 6.3.4.3.342 2009.06.10 -
TrendMicro 8.950.0.1092 2009.06.10 -
VBA32 3.12.10.7 2009.06.10 suspected of Win32.Trojan-Downloader
ViRobot 2009.6.10.1779 2009.06.10 -
Additional information
File size: 2560 bytes
MD5 : 6c87e93bcc0442cdcd2746ca98ea55ee
SHA1 : 0c3eb83a6f1bef9443f84de00a1a048aa2cc73e2
SHA256: e6aa7e2f9f43b7f4f43ec32cfe2b6754a4f6a4ffd0fdecad43 e1363bfbca6a51
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1180
timedatestamp.....: 0x49106A29 (Tue Nov 4 16:28:41 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1BA 0x200 4.94 cf614a05993780b56c73b437f8fb675e
.rdata 0x2000 0x270 0x400 3.39 f114d95887ec6f9d8ff1c96bc4b1d777
.data 0x3000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

( 3 imports )

> kernel32.dll: ExitProcess, Sleep
> ntdll.dll: memset
> wininet.dll: HttpSendRequestA, InternetReadFile, InternetCloseHandle, InternetCrackUrlA, InternetOpenA, HttpOpenRequestA, InternetConnectA

( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: ThreatExpert Report
ssdeep: 24:eFGSLoUPnkJtUGb8Fqa7EoRMvmD0HVjS4bi6WSBFZSPyI/:ipPkJtUCyLWvS0HVG4biaBzg
PEiD : -
CWSandbox: Malware Report for ID: 6263850
RDS : NSRL Reference Data Set
-
Reply With Quote
  #35 (permalink)   Top
Old 7th July 2009, 02:02 AM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
That's not it. That's RunnerExe.exe

Let's clean up a little and try another scanner.

* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

1. Double click OTM to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTM will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. When finished exit out of OTM.

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.


When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save




Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 and 8 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

If needed, this animation will guide you through the process.
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #36 (permalink)   Top
Old 8th July 2009, 05:57 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, July 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 08, 2009 02:37:25
Records in database: 2439482
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 93579
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:33:44

No malware has been detected. The scan area is clean.

The selected area was scanned.
Reply With Quote
  #37 (permalink)   Top
Old 8th July 2009, 04:16 PM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
Well I'm going to assume that the results from Panda are a false positive.

How is the computer running?

Use the Secunia Software Inspector to check for out of date software.
  • Click Start Now
  • Check the box next to Enable thorough system inspection.
  • Click Start
  • Allow the scan to finish and scroll down to see if any updates are needed.
  • Update anything listed.


----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #38 (permalink)   Top
Old 9th July 2009, 01:54 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
everything seems good did notice my start up time a little faster
Reply With Quote
  #39 (permalink)   Top
Old 9th July 2009, 03:44 AM
evilfantasy's Avatar
Security Team
  
Join Date: Dec 2007, 2,553 posts.
Location: Tulsa, OK
Reputation: evilfantasy will become famous soon enoughevilfantasy will become famous soon enough
There may be a lot of fragmented sections on the drive after the cleaning we did so I suggest a defrag.

You can use the built in Windows Defrag by clicking Start > Run and then type in dfrg.msc then click OK. Or use a faster FREE program. Defraggler is very effective and easy to use.

Note: Be sure to clean out temp files and restart the computer just before beginning a defrag.
__________________
.

ƃolq s’ʎsɐʇuɐɟlıʌǝ
Reply With Quote
  #40 (permalink)   Top
Old 9th July 2009, 04:51 AM
ElChamuco's Avatar
Newcomer
  
Join Date: May 2009, 21 posts.
Reputation: ElChamuco is on a distinguished road
You are the man! thanks again my friend where can i learn how to remove malware i feel like i owe you money.
Reply With Quote
Reply
Page 2 of 3 < 1 2 3 >

Only registered members can participate in forum threads. You must register or log in to contribute.


« Previous Thread | Next Thread »
Thread Tools

Forum Jump


All times are GMT. The time now is 11:09 AM.

Contact Us - Tech Support Team - Terms of Service - Top


Member Login
Forgot Password?



Post A Question!
Useful Links
Main Menu
Home
Forum Rules
FAQ
About Us
Welcome Pack
Search the forums
TST Mobile
Contact Us
Send Message

These are the 50 most used thread tags
Tag Cloud
amd asrock binary bios blue shield browsers bsod cd/dvd rom championships cooling curl download error error error"userappdata" error 403 problem finland firefox freezing g200r heating http icehockey ipod itunes jetpack jpeg laptop linux m3skplay.exe malware malwarebytes pendrive php port problem ram redirect issue room escape games scan slow suse switzerland thumbdrive trojan usa usb virus vista windows 7 windows vista
Copyright © Tech Support Team, Inc. All rights reserved.
TechSupportTeam.org is an Privacy Policy and Legal Powered by vBulletin® Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.2.0 ©2008, Crawlability, Inc.