[Resolved] Can't run anti-spyware + rogue infection
#1
Posted 03 October 2009 - 08:37 AM
Register to Remove
#2
Posted 03 October 2009 - 12:37 PM
To make cleaning this machine easier
- Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs. - Please do not run any scans other than those requested
- Please follow all instructions in the order posted
- All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
- Do not attach any logs/reports, etc.. unless specifically requested to do so.
- If you have problems with or do not understand the instructions, Please ask before continuing.
- Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Please download exeHelper to your desktop.
- Double-click on exeHelper.com to run the fix.
- A black window should pop up, press any key to close once the fix is completed.
- Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
NEXT
Download and run Win32kDiag:
- Download Win32kDiag from any of the following locations and save it to your Desktop.
- Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
- When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
- Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
- To ensure the entire contents are copied, right click anywhere in the notepad and click Select All
- Right click the highlited text and click copy
Please post back with
- exehelper log
- Win32kDiag log
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.#3
Posted 03 October 2009 - 01:10 PM
#4
Posted 03 October 2009 - 03:57 PM
It looks like Win32Diag may have stalled. It did show us somethings we will need to take of.
We will run Win32Diag a little diferently, it will remove somethings for us this time.
Click your start button click run. Cop and paste the following line into the run box and click OK.
"%userprofile%\desktop\win32kdiag.exe" -f -r
Please be patient and let the tool complete.
Next
Download and run a batch file (peek.bat):
- Download peek.bat from the download link below and save it to your Desktop.
- Download peek.bat
- Double-click peek.bat to run it.
- A black Command Prompt window will appear shortly: the program is running.
- When it's finished, a log will be saved at C:\log.txt
- Please post it's contents in your next reply
Please post back with
- Win32Diag log
- Log.txt
Thanks
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.#5
Posted 03 October 2009 - 04:48 PM
#6
Posted 03 October 2009 - 05:13 PM
Your system has been infected by one or more Rootkits/Backdoor Trojans.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits.
More information on Remote Access Trojans can be found here.
I strongly suggest you do the following immediately:
- From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
- DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
- Danger: Remote Access Trojans.
- When should I re-format? How should I reinstall?
- How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?
I need you to make a batchfile.
Open a new Notepad session
- Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
@echo off sc config eventlog start= disabled del %0
In Notepad
- Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "fix.bat"
- Click Save
Double click on fix.bat & allow it to run.
It won't take long to run. There won't be a log or anything from it, you may see a black screen briefly flash on your screen.
Reboot your computer and proceed.
Please read through the instructions to familarize youself with what to expect when the tool runs.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
- During the download, before you save it to your desktop, rename Combofix to jgh.exe
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
- Double click on the renamed ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]
Please post back with
- combofix log
Thanks
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.#7
Posted 03 October 2009 - 06:20 PM
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.608 [GMT 1:00]
Running from: c:\documents and settings\Helen Melon\Desktop\jgh.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\ojyf.reg
c:\documents and settings\All Users\Application Data\upirumifug.inf
c:\documents and settings\ALLUSE~\Google
c:\documents and settings\Helen Melon\Application Data\jove.reg
c:\documents and settings\Helen Melon\Application Data\lizkavd.exe
c:\documents and settings\Helen Melon\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Helen Melon\Application Data\vulebubume.inf
c:\documents and settings\Helen Melon\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Helen Melon\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Helen Melon\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
C:\p2hhr.bat
c:\program files\Common Files\ipojow.com
c:\recycler\S-1-5-21-2626753545-2741395014-3987291170-1003
c:\recycler\S-1-5-21-3610190352-1894798032-2927353088-1003
c:\recycler\S-1-5-21-4272118574-3248610337-857847958-1003
c:\windows\ahubynin.dl
c:\windows\cosohyqibu.pif
c:\windows\eravoky.ban
c:\windows\ibahehujuk._dl
c:\windows\Installer\1a1aca3.msp
c:\windows\Installer\6372cd.msp
c:\windows\Installer\b2aecc.msp
c:\windows\myxohece.bat
c:\windows\nuhy.dll
c:\windows\system32\drivers\SKYNETbqbuypib.sys
c:\windows\system32\drivers\UAChrxoirrslk.sys
c:\windows\system32\gazifunu.inf
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\nsprs.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\serauth1.dll
c:\windows\system32\serauth2.dll
c:\windows\system32\SKYNETmlwapboe.dll
c:\windows\system32\SKYNETnnowxrsm.dll
c:\windows\system32\SKYNETrjoehelu.dat
c:\windows\system32\SKYNETwfvpijtv.dll
c:\windows\system32\SKYNETxmqsnswe.dat
c:\windows\system32\UAChoykrhvtnl.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACltyblwhdnq.dll
c:\windows\system32\UACqowyerbnep.dll
c:\windows\system32\UACrsbvpwmeta.log
c:\windows\system32\UACtqtyikfwfv.dll
c:\windows\system32\UACwrbilvkjsr.db
c:\windows\system32\UACypixmkmodm.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\vixa.reg
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNEToppfakdv
-------\Legacy_SKYNEToppfakdv
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.
2009-10-04 00:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 13:09 . 2009-10-03 13:09 -------- d-----w- c:\windows\ERUNT
2009-10-03 13:01 . 2009-10-03 13:09 -------- d-----w- C:\SDFix
2009-10-03 12:56 . 2009-10-03 12:56 -------- d-----w- C:\_OTM
2009-10-03 12:32 . 2009-10-03 12:32 293 ----a-w- C:\MGlogs.zip
2009-10-03 12:32 . 2009-10-03 12:32 -------- d-----w- C:\MGtools
2009-10-03 12:05 . 2009-10-03 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 02:26 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 02:26 . 2009-08-24 13:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 02:26 . 2009-08-19 10:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-03 02:25 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-03 02:00 . 2009-10-03 02:00 256 ----a-w- c:\windows\system32\nk.dat
2009-10-03 01:58 . 2009-10-03 01:58 45 ----a-w- c:\windows\system32\ca.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\xd.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\jc.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\idm.dat
2009-10-03 01:50 . 2009-10-03 01:50 1 ----a-w- c:\windows\system32\c2d.dat
2009-10-03 01:49 . 2009-10-03 01:49 46080 ----a-w- c:\windows\system32\nspr02.dll
2009-10-03 01:48 . 2009-10-03 01:48 -------- d-sh--w- c:\documents and settings\Helen Melon\PrivacIE
2009-10-03 01:48 . 2009-10-03 01:48 46080 ----a-w- c:\windows\system32\nspr01.dll
2009-10-03 01:39 . 2009-10-03 01:39 199868 ----a-w- C:\hufa.exe
2009-10-03 01:39 . 2009-10-03 01:39 19456 ----a-w- C:\erupquii.exe
2009-10-03 01:39 . 2009-10-03 01:39 5632 ----a-w- C:\efbcmkj.exe
2009-10-03 01:39 . 2009-10-03 01:39 45568 ----a-w- C:\oaksorc.exe
2009-10-03 00:48 . 2009-10-03 00:50 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-10-03 00:42 . 2009-10-03 01:04 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-09-28 23:26 . 2009-10-03 01:29 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\vlc
2009-09-28 23:24 . 2009-09-28 23:24 -------- d-----w- c:\program files\VideoLAN
2009-09-25 21:56 . 2009-09-25 21:56 11264 ----a-w- c:\windows\system32\lpomf.dll
2009-09-19 23:31 . 2009-09-19 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-19 19:10 . 2009-09-19 19:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-19 19:08 . 2009-10-03 14:21 0 ----a-w- c:\windows\win32k.sys
2009-09-19 01:30 . 2009-09-19 01:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-19 01:21 . 2009-09-19 01:21 1 ----a-w- c:\windows\system32\q1.dat
2009-09-19 01:03 . 2009-09-19 01:08 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:04 -------- d-----w- c:\documents and settings\Helen Melon\Local Settings\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:03 -------- d-----w- c:\program files\Spotify
2009-09-16 23:19 . 2009-09-19 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-15 22:45 . 2009-09-15 22:45 44032 ----a-w- c:\windows\system32\yxhl0.dll
2009-09-11 00:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 00:09 . 2007-07-09 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-10-03 12:57 . 2009-08-16 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:39 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:49 . 2009-10-03 01:49 16609 ----a-w- c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
2009-10-03 01:49 . 2009-10-03 01:49 17136 ----a-w- c:\program files\Common Files\cuhupodi.lib
2009-10-03 01:07 . 2006-02-22 18:21 -------- d-----w- c:\program files\Java
2009-09-27 23:36 . 2009-08-14 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-26 19:08 . 2006-07-30 14:02 49544 ----a-w- c:\documents and settings\Helen Melon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:08 . 2008-01-22 20:41 -------- d-----w- c:\program files\Windows Live
2009-09-12 17:53 . 2009-01-06 00:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 13:54 . 2009-08-16 16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-08-16 16:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-26 00:27 . 2007-11-17 16:45 -------- d-----w- c:\program files\DivX
2009-08-26 00:26 . 2009-08-26 00:26 4780600 ----a-w- C:\DivXWebPlayerInstaller.exe
2009-08-23 14:45 . 2008-12-25 00:07 -------- d-----w- c:\program files\Kontiki
2009-08-23 13:59 . 2009-08-23 13:59 267152 ----a-w- C:\zaSetup_en.exe
2009-08-22 16:14 . 2009-08-22 16:14 -------- d-----w- c:\program files\MSBuild
2009-08-22 16:13 . 2009-08-22 16:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 16:07 . 2009-08-22 16:07 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 00:15 . 2009-08-17 00:15 1144168 ----a-w- C:\wlsetup-custom.exe
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Malwarebytes
2009-08-16 17:01 . 2009-08-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-16 17:01 . 2009-08-16 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-16 16:59 . 2009-08-16 16:59 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2007-08-20 14:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 16:59 . 2009-08-16 16:57 6881824 ----a-w- C:\SAS.exe
2009-08-16 16:54 . 2009-08-16 16:54 1343913 ----a-w- C:\MGtools.exe
2009-08-16 16:54 . 2009-08-16 16:54 464491 ----a-w- C:\RootRepeal.zip
2009-08-16 16:51 . 2009-08-16 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 16:30 . 2009-08-16 16:30 -------- d-----w- c:\program files\CCleaner
2009-08-16 16:28 . 2009-08-16 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 00:26 . 2009-08-15 00:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 00:25 . 2009-08-15 00:25 -------- d-----w- c:\program files\Lavasoft
2009-08-14 23:53 . 2009-08-14 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 05:58 . 2009-10-03 02:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:14 . 2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 00:14 . 2009-08-14 00:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-14 00:14 . 2009-08-14 00:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 00:14 . 2007-08-20 14:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 00:14 . 2009-08-14 00:14 -------- d-----w- c:\program files\AVG
2009-08-14 00:10 . 2009-08-14 00:10 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\AVG8
2009-08-05 09:01 . 2006-02-22 03:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-02-22 03:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-22 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2CEB3AB-FEEC-45F5-8ADE-B2C33A60D85D}]
2009-10-03 01:49 46080 ----a-w- c:\windows\system32\nspr02.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-05 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-05 180269]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/08/2009 01:26 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/10/2009 03:26 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/08/2009 01:14 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/08/2009 01:14 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [14/08/2009 01:14 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [14/08/2009 01:14 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [02/08/2006 14:09 395224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/10/2009 03:25 348824]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{69504635-DE84-4739-8D13-2B5C5616807F}]
rundll32 nspr02.dll,laspi
.
Contents of the 'Scheduled Tasks' folder
2009-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:26]
2009-10-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-03 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: lpomf.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Helen Melon\Application Data\Mozilla\Firefox\Profiles\964kqff7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 01:11
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,f3,9f,ef,fd,77,c2,4b,92,c1,80,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,f3,9f,ef,fd,77,c2,4b,92,c1,80,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll
- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\lpomf.dll
- - - - - - - > 'explorer.exe'(1392)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-04 1:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 00:17
Pre-Run: 11,674,963,968 bytes free
Post-Run: 11,817,783,296 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
361 --- E O F --- 2009-09-13 02:01
#8
Posted 03 October 2009 - 06:23 PM
Edited by nffc86, 03 October 2009 - 06:25 PM.
#9
Posted 03 October 2009 - 10:34 PM
Let's clear up the rest of this then work on the permissions.
We need some file informantion
- Make sure to use Internet Explorer for this
- Please go to VirSCAN.org FREE on-line scan service
- Copy and paste the following file path, one at a time into the "Suspicious files to scan" box on the top of the page:
c:\windows\system32\nspr02.dll
c:\windows\system32\nspr01.dll
- Please ensure the scan has completed and the results are saved before submitting the next one.
- Click on the Upload button
- If a pop-up appears saying the file has been scanned already, please select the ReScan button.
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply.
We will be using Combofix again but will run it differently.
Please read through these instructions to familarize yourself with what to expect when this tool runs
Please follow all previous instructions regarding security programs.
Open a new Notepad session
- Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE
http://forums.whatthetech.com/Can_t_run_anti_spyware_rogue_infection_t107359.html&pid=600555#entry600555 Collect::[4] c:\windows\system32\nk.dat c:\windows\system32\ca.dat c:\windows\system32\xd.dat c:\windows\system32\jc.dat c:\windows\system32\idm.dat c:\windows\system32\c2d.dat C:\hufa.exe C:\erupquii.exe C:\efbcmkj.exe C:\oaksorc.exe c:\windows\system32\lpomf.dll c:\windows\win32k.sys c:\windows\system32\q1.dat c:\windows\system32\yxhl0.dll c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat c:\program files\Common Files\cuhupodi.lib c:\windows\system32\nspr01.dll c:\windows\system32\nspr02.dll DirLook:: c:\documents and settings\Helen Melon\PrivacIE Registry:: [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableTaskMgr"=- "DisableRegistryTools"=- [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C2CEB3AB-FEEC-45F5-8ADE-B2C33A60D85D}] [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{69504635-DE84-4739-8D13-2B5C5616807F}] RegLock:: [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
In the notepad
- Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
- Click save
This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Let's see what we may have to reset permissions on
- Right click the attached file user.zip
- Select Save target as
- Set the Save in box to Desktop
- Extract the files to your desktop
- Locate run.bat and double click it to run it
- Please be patient and let it run
- When it's finished, a log will be saved at C:\junction.txt
- Please post it's contents in your next reply
Please post back with
- VirScan results
- combofix log
- junction.txt
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.#10
Posted 04 October 2009 - 08:49 AM
Scanned time : 2009/10/04 15:11:54 (BST)
Scanner results: 27% Scanner(10/37) found malware!
File Name : nspr02.dll
File Size : 46080 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : efd59b047ce5b6590ce2d666c7fa0527
SHA1 : 7b684c2484f6bd7fdc5ecf2e3d6774df58f441cf
Online report : http://virscan.org/r...a385d3dedb.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091004083115 2009-10-04 4.12 Trojan-Downloader.Win32.BHO!IK
AhnLab V3 2009.10.04.00 2009.10.04 2009-10-04 0.81 -
AntiVir 8.2.1.33 7.1.6.68 2009-10-02 0.46 TR/Ambler.J
Antiy 2.0.18 20091003.2955253 2009-10-03 0.02 -
Arcavir 2009 200910020826 2009-10-02 0.07 -
Authentium 5.1.1 200910031310 2009-10-03 1.19 -
AVAST! 4.7.4 091003-0 2009-10-03 0.01 -
AVG 8.5.288 270.14.3/2413 2009-10-04 0.56 -
BitDefender 7.81008.4313294 7.28072 2009-10-04 3.69 Trojan.Generic.2499596
CA (VET) 9.0.0.143 31.6.6773 2009-10-03 14.46 -
ClamAV 0.95.2 9865 2009-10-03 0.05 -
Comodo 3.11 2511 2009-10-04 0.83 -
CP Secure 1.3.0.5 2009.09.30 2009-09-30 0.12 -
Dr.Web 4.44.0.9170 2009.10.04 2009-10-04 5.55 Trojan.PWS.Banker.31065
F-Prot 4.4.4.56 20091003 2009-10-03 1.17 W32/Ambler.C.gen!Eldorado (generic, not disinfectable)
F-Secure 7.02.73807 2009.10.03.02 2009-10-03 8.65 Trojan-Spy:W32/Ambler.gen!A [FSE]
Fortinet 2.81-3.120 10.904 2009-10-04 0.19 PossibleThreat
GData 19.8212/19.498 20091004 2009-10-04 7.93 -
ViRobot 20091002 2009.10.02 2009-10-02 0.44 -
Ikarus T3.1.01.72 2009.10.04.73928 2009-10-04 4.25 Trojan-Downloader.Win32.BHO
JiangMin 11.0.800 2009.10.04 2009-10-04 8.88 -
Kaspersky 5.5.10 2009.10.04 2009-10-04 0.18 -
KingSoft 2009.2.5.15 2009.10.4.19 2009-10-04 0.70 -
McAfee 5.3.00 5760 2009-10-03 3.46 -
Microsoft 1.5101 2009.10.04 2009-10-04 9.27 TrojanSpy:Win32/Ambler.J
Norman 6.01.09 6.01.00 2009-09-16 1.93 -
Panda 9.05.01 2009.10.04 2009-10-04 3.48 -
Trend Micro 8.700-1004 6.504.02 2009-10-04 0.05 -
Quick Heal 10.00 2009.10.03 2009-10-03 1.58 -
Rising 20.0 21.49.22.00 2009-09-30 1.32 -
Sophos 2.90.1 4.45 2009-10-04 3.59 Mal/Ambler-B
Sunbelt 5427 5427 2009-10-02 6.30 -
Symantec 1.3.0.24 20091003.004 2009-10-03 0.53 -
nProtect 20090930.01 5696930 2009-09-30 15.69 -
The Hacker 6.5.0.2 v00028 2009-10-03 1.26 -
VBA32 3.12.10.11 20091003.1357 2009-10-03 2.12 -
VirusBuster 4.5.11.10 10.112.57/1940742 2009-10-03 2.77 -
ComboFix 09-10-01.05 - Helen Melon 04/10/2009 15:29.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.525 [GMT 1:00]
Running from: c:\documents and settings\Helen Melon\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Helen Melon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
file zipped: c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
file zipped: C:\efbcmkj.exe
file zipped: C:\erupquii.exe
file zipped: C:\hufa.exe
file zipped: C:\oaksorc.exe
file zipped: c:\program files\Common Files\cuhupodi.lib
file zipped: c:\windows\system32\c2d.dat
file zipped: c:\windows\system32\ca.dat
file zipped: c:\windows\system32\idm.dat
file zipped: c:\windows\system32\jc.dat
file zipped: c:\windows\system32\lpomf.dll
file zipped: c:\windows\system32\nk.dat
file zipped: c:\windows\system32\nspr01.dll
file zipped: c:\windows\system32\nspr02.dll
file zipped: c:\windows\system32\q1.dat
file zipped: c:\windows\system32\xd.dat
file zipped: c:\windows\system32\yxhl0.dll
file zipped: c:\windows\win32k.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Helen Melon\Application Data\howyreqyce.dat
C:\efbcmkj.exe
C:\erupquii.exe
C:\hufa.exe
C:\oaksorc.exe
c:\program files\Common Files\cuhupodi.lib
c:\windows\system32\c2d.dat
c:\windows\system32\ca.dat
c:\windows\system32\idm.dat
c:\windows\system32\jc.dat
c:\windows\system32\lpomf.dll
c:\windows\system32\nk.dat
c:\windows\system32\nspr01.dll
c:\windows\system32\nspr02.dll
c:\windows\system32\q1.dat
c:\windows\system32\xd.dat
c:\windows\system32\yxhl0.dll
c:\windows\win32k.sys
.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.
2009-10-04 00:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 13:09 . 2009-10-03 13:09 -------- d-----w- c:\windows\ERUNT
2009-10-03 13:01 . 2009-10-03 13:09 -------- d-----w- C:\SDFix
2009-10-03 12:56 . 2009-10-03 12:56 -------- d-----w- C:\_OTM
2009-10-03 12:32 . 2009-10-03 12:32 293 ----a-w- C:\MGlogs.zip
2009-10-03 12:32 . 2009-10-03 12:32 -------- d-----w- C:\MGtools
2009-10-03 12:05 . 2009-10-03 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 02:26 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 02:26 . 2009-08-24 13:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 02:26 . 2009-08-19 10:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-03 02:25 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-03 01:48 . 2009-10-03 01:48 -------- d-sh--w- c:\documents and settings\Helen Melon\PrivacIE
2009-10-03 00:48 . 2009-10-03 00:50 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-10-03 00:42 . 2009-10-03 01:04 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-09-28 23:26 . 2009-10-03 01:29 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\vlc
2009-09-28 23:24 . 2009-09-28 23:24 -------- d-----w- c:\program files\VideoLAN
2009-09-19 23:31 . 2009-09-19 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-19 19:10 . 2009-09-19 19:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-19 01:30 . 2009-09-19 01:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-19 01:03 . 2009-09-19 01:08 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:04 -------- d-----w- c:\documents and settings\Helen Melon\Local Settings\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:03 -------- d-----w- c:\program files\Spotify
2009-09-16 23:19 . 2009-09-19 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 00:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 14:35 . 2007-07-09 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-10-03 12:57 . 2009-08-16 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:39 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:07 . 2006-02-22 18:21 -------- d-----w- c:\program files\Java
2009-09-27 23:36 . 2009-08-14 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-26 19:08 . 2006-07-30 14:02 49544 ----a-w- c:\documents and settings\Helen Melon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:08 . 2008-01-22 20:41 -------- d-----w- c:\program files\Windows Live
2009-09-12 17:53 . 2009-01-06 00:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 13:54 . 2009-08-16 16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-08-16 16:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-26 00:27 . 2007-11-17 16:45 -------- d-----w- c:\program files\DivX
2009-08-26 00:26 . 2009-08-26 00:26 4780600 ----a-w- C:\DivXWebPlayerInstaller.exe
2009-08-23 14:45 . 2008-12-25 00:07 -------- d-----w- c:\program files\Kontiki
2009-08-23 13:59 . 2009-08-23 13:59 267152 ----a-w- C:\zaSetup_en.exe
2009-08-22 16:14 . 2009-08-22 16:14 -------- d-----w- c:\program files\MSBuild
2009-08-22 16:13 . 2009-08-22 16:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 16:07 . 2009-08-22 16:07 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 00:15 . 2009-08-17 00:15 1144168 ----a-w- C:\wlsetup-custom.exe
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Malwarebytes
2009-08-16 17:01 . 2009-08-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-16 17:01 . 2009-08-16 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-16 16:59 . 2009-08-16 16:59 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2007-08-20 14:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 16:59 . 2009-08-16 16:57 6881824 ----a-w- C:\SAS.exe
2009-08-16 16:54 . 2009-08-16 16:54 1343913 ----a-w- C:\MGtools.exe
2009-08-16 16:54 . 2009-08-16 16:54 464491 ----a-w- C:\RootRepeal.zip
2009-08-16 16:51 . 2009-08-16 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 16:30 . 2009-08-16 16:30 -------- d-----w- c:\program files\CCleaner
2009-08-16 16:28 . 2009-08-16 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 00:26 . 2009-08-15 00:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 00:25 . 2009-08-15 00:25 -------- d-----w- c:\program files\Lavasoft
2009-08-14 23:53 . 2009-08-14 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 05:58 . 2009-10-03 02:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:14 . 2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 00:14 . 2009-08-14 00:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-14 00:14 . 2009-08-14 00:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 00:14 . 2007-08-20 14:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 00:14 . 2009-08-14 00:14 -------- d-----w- c:\program files\AVG
2009-08-14 00:10 . 2009-08-14 00:10 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\AVG8
2009-08-05 09:01 . 2006-02-22 03:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-02-22 03:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-22 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\Helen Melon\PrivacIE ----
2009-10-03 01:48 . 2009-10-03 01:57 32768 --sha-w- c:\documents and settings\Helen Melon\PrivacIE\index.dat
((((((((((((((((((((((((((((( SnapShot@2009-10-04_00.11.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe" [2009-08-05 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-05 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-05 180269]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/08/2009 01:26 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/10/2009 03:26 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/08/2009 01:14 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/08/2009 01:14 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [14/08/2009 01:14 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [14/08/2009 01:14 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [02/08/2006 14:09 395224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/10/2009 03:25 348824]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:26]
2009-10-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-03 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Helen Melon\Application Data\Mozilla\Firefox\Profiles\964kqff7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
BHO-{A249BC15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
BHO-{C2CEB3AB-FEEC-45F5-8ADE-B2C33A60D85D} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 15:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll
- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-04 15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 14:43
ComboFix2.txt 2009-10-04 00:17
Pre-Run: 11,775,537,152 bytes free
Post-Run: 11,734,605,824 bytes free
304 --- E O F --- 2009-09-13 02:01
Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com
Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
...
...
...
...
...
...
...
...
...
...
..
Failed to open \\?\c:\\Program Files\AVG\AVG8\avgcsrvx.exe: Access is denied.
.
...
...
...
Failed to open \\?\c:\\Program Files\Lavasoft\Ad-Aware\AAWService.exe: Access is denied.
..
Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.
.
...
...
...
...
...
...
...
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe: Access is denied.
Failed to open \\?\c:\\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe: Access is denied.
...
.
Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.
..
...
..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
.
...
...
...
...
...
...
...
...
...
...
...
...
...
Register to Remove
#11
Posted 04 October 2009 - 08:53 AM
#12
Posted 04 October 2009 - 10:16 AM
That's ok, we got the information we needed.
Before we reset the permissions there is one file that needs to be removed.
We'll use a CFScript similar to last time.
Open a new Notepad session
- Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
File:: c:\Program Files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe
In the notepad
- Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
- Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon.
Next
Please visit this site and follow the instructions for uploading the [4]-Submit_2009-xx-xx@xx.xx.zip file.
The x's are a date and time stamp. Use the browse button to navigate to
C:\Qoobox\Quarantine\[4]-Submit_Date_Time.zip
Next, in Windows Explorer, navigate to this folder C:\Qoobox
In the right hand panel please locate this file Add-Remove Programs.txt
Please post the contents of that file.
Please post back with
- combofix log
- Add-Remove programsl list
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.#13
Posted 04 October 2009 - 10:47 AM
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.498 [GMT 1:00]
Running from: c:\documents and settings\Helen Melon\Desktop\jgh.exe
Command switches used :: c:\documents and settings\Helen Melon\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FILE ::
"c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.
2009-10-04 00:08 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-03 13:09 . 2009-10-03 13:09 -------- d-----w- c:\windows\ERUNT
2009-10-03 13:01 . 2009-10-03 13:09 -------- d-----w- C:\SDFix
2009-10-03 12:56 . 2009-10-03 12:56 -------- d-----w- C:\_OTM
2009-10-03 12:32 . 2009-10-03 12:32 293 ----a-w- C:\MGlogs.zip
2009-10-03 12:32 . 2009-10-03 12:32 -------- d-----w- C:\MGtools
2009-10-03 12:05 . 2009-10-03 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-10-03 02:26 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-03 02:26 . 2009-08-24 13:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-03 02:26 . 2009-08-19 10:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-03 02:25 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-03 02:25 . 2009-10-03 02:29 -------- d-----w- c:\program files\Spyware Doctor
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-03 02:25 . 2009-10-03 02:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-03 01:48 . 2009-10-03 01:48 -------- d-sh--w- c:\documents and settings\Helen Melon\PrivacIE
2009-10-03 00:48 . 2009-10-03 00:50 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-10-03 00:42 . 2009-10-03 01:04 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-09-28 23:26 . 2009-10-03 01:29 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\vlc
2009-09-28 23:24 . 2009-09-28 23:24 -------- d-----w- c:\program files\VideoLAN
2009-09-19 23:31 . 2009-09-19 23:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-19 19:10 . 2009-09-19 19:10 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-09-19 01:30 . 2009-09-19 01:30 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-09-19 01:03 . 2009-09-19 01:08 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:04 -------- d-----w- c:\documents and settings\Helen Melon\Local Settings\Application Data\Spotify
2009-09-19 01:03 . 2009-09-19 01:03 -------- d-----w- c:\program files\Spotify
2009-09-16 23:19 . 2009-09-19 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-11 00:46 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-04 16:36 . 2009-08-16 16:59 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-04 16:36 . 2007-07-09 17:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-10-03 12:57 . 2009-08-16 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 12:39 . 2009-08-14 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:07 . 2006-02-22 18:21 -------- d-----w- c:\program files\Java
2009-09-27 23:36 . 2009-08-14 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-26 19:08 . 2006-07-30 14:02 49544 ----a-w- c:\documents and settings\Helen Melon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:08 . 2008-01-22 20:41 -------- d-----w- c:\program files\Windows Live
2009-09-12 17:53 . 2009-01-06 00:29 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 13:54 . 2009-08-16 16:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 13:53 . 2009-08-16 16:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-26 00:27 . 2007-11-17 16:45 -------- d-----w- c:\program files\DivX
2009-08-26 00:26 . 2009-08-26 00:26 4780600 ----a-w- C:\DivXWebPlayerInstaller.exe
2009-08-23 14:45 . 2008-12-25 00:07 -------- d-----w- c:\program files\Kontiki
2009-08-23 13:59 . 2009-08-23 13:59 267152 ----a-w- C:\zaSetup_en.exe
2009-08-22 16:14 . 2009-08-22 16:14 -------- d-----w- c:\program files\MSBuild
2009-08-22 16:13 . 2009-08-22 16:13 -------- d-----w- c:\program files\Reference Assemblies
2009-08-22 16:07 . 2009-08-22 16:07 -------- d-----w- c:\program files\MSXML 6.0
2009-08-17 00:15 . 2009-08-17 00:15 1144168 ----a-w- C:\wlsetup-custom.exe
2009-08-16 18:45 . 2009-08-16 18:45 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\Malwarebytes
2009-08-16 17:01 . 2009-08-16 17:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2009-08-16 16:59 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\SUPERAntiSpyware.com
2009-08-16 16:59 . 2007-08-20 14:38 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-16 16:59 . 2009-08-16 16:57 6881824 ----a-w- C:\SAS.exe
2009-08-16 16:54 . 2009-08-16 16:54 1343913 ----a-w- C:\MGtools.exe
2009-08-16 16:54 . 2009-08-16 16:54 464491 ----a-w- C:\RootRepeal.zip
2009-08-16 16:51 . 2009-08-16 16:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 16:30 . 2009-08-16 16:30 -------- d-----w- c:\program files\CCleaner
2009-08-16 16:28 . 2009-08-16 16:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-15 00:26 . 2009-08-15 00:25 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 00:25 . 2009-08-15 00:25 -------- d-----w- c:\program files\Lavasoft
2009-08-14 23:53 . 2009-08-14 23:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-14 05:58 . 2009-10-03 02:26 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-14 00:14 . 2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 00:14 . 2009-08-14 00:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-14 00:14 . 2009-08-14 00:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 00:14 . 2007-08-20 14:22 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-14 00:14 . 2009-08-14 00:14 -------- d-----w- c:\program files\AVG
2009-08-14 00:10 . 2009-08-14 00:10 -------- d-----w- c:\documents and settings\Helen Melon\Application Data\AVG8
2009-08-05 09:01 . 2006-02-22 03:32 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 15:44 . 2009-07-26 15:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 2006-02-22 03:32 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2006-02-22 03:33 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-10-04_00.11.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2009-10-04 14:37 . 2009-10-04 14:37 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-05 282624]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-05 180269]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-10-19 184320]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 00:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/08/2009 01:26 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [03/10/2009 03:26 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [14/08/2009 01:14 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [14/08/2009 01:14 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/08/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 16:06 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [14/08/2009 01:14 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [14/08/2009 01:14 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1028432]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\HELENM~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [02/08/2006 14:09 395224]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 16:06 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [03/10/2009 03:25 348824]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-10-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 00:26]
2009-10-03 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-10-03 12:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Helen Melon\Application Data\Mozilla\Firefox\Profiles\964kqff7.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\773dd7e9-39a0-43e3-ace2-d4d35dc916eb.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 17:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-10-04 17:39
ComboFix-quarantined-files.txt 2009-10-04 16:39
ComboFix2.txt 2009-10-04 14:43
ComboFix3.txt 2009-10-04 00:17
Pre-Run: 11,740,499,968 bytes free
Post-Run: 11,726,290,944 bytes free
235 --- E O F --- 2009-09-13 02:01
Add-Remove Programs List
Ad-Aware
Adobe Acrobat Reader 3.01
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
Apple Software Update
AVG Free 8.5
BBC iPlayer Download Manager
BioWare Premium Module: Neverwinter Nights - Kingmaker
BioWare Premium Module: Neverwinter Nights - ShadowGuard
BioWare Premium Module: Neverwinter Nights - Witch's Wake
CCleaner (remove only)
Click to DVD 2.0.03 Menu Data
Click to DVD 2.5.20
Creative WebCam Control
Creative WebCam Driver
Diablo II
Disc2Phone
DivX Web Player
Driving Test Complete
DVgate Plus
GameSpy Arcade
Google AFE
Google Earth
Google Talk (remove only)
Google Toolbar for Internet Explorer
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Hero Editor V0.96
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB954550-v5)
HP Deskjet 3740
HP Software Update
Image Converter 2 Plus
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD for VAIO
LAN-Express AS IEEE 802.11 Wireless LAN
LG PC Suite
LG USB Modem driver
Malwarebytes' Anti-Malware
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.3
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
mMHouse
Mozilla Firefox (3.5.3)
mPfMgr
mProSafe
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
mWlsSafe
mXML
OpenMG Limited Patch 4.4-06-13-19-01
OpenMG Secure Module 4.4.00
Picasa 2
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Roxio DigitalMedia Audio
Roxio DigitalMedia Copy
Roxio DigitalMedia Data
SafeGuard® PrivateDisk 1.00.6 - Try and Buy Version
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Segoe UI
Setting Utility Series
SonicStage 3.4
Sony MP4 Shared Library
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library
Spotify
SPSS 14.0 for Windows
Spybot - Search & Destroy
Spyware Doctor 6.1
SUPERAntiSpyware Free Edition
Symantec KB-DocID:2003093015493306
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
VAIO Control Center
VAIO Entertainment Platform
VAIO Event Service
VAIO Hardware Diagnostics
VAIO Long Battery Life Wallpaper
VAIO Media 5.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 5.0
VAIO Media Redistribution 5.0
VAIO Media Registration Tool 5.0
VAIO Online Registration (English)
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
VAIO Power Management
VAIO Product Survey
VAIO Sea Wallpaper
VAIO Starfish Wallpaper
VAIO Update 2
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.0.2
VOR
VPS
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
WinUAE 1.4.2
Wireless LAN Starter
Wise Disk Cleaner 4.81
Wise Registry Cleaner 4 Free 4.83
ZoneAlarm Spy Blocker
I have also successfully submitted the thing that you asked me to on Bleeping Computer
#14
Posted 04 October 2009 - 11:05 AM
Thank you.I have also successfully submitted the thing that you asked me to on Bleeping Computer
Please download Inherit by sUBs and save it to your Desktop.
Click your start button, click run. Copy and paste the following commands, one at a time, into the run box clicking OK after each line. Wait a bit between lines.
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\AVG\AVG8\avgcsrvx.exe"
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"
"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
"%userprofile%\desktop\Inherit.exe" c:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
You should be able to run the programs now.
You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.
Open MBAM
- Click the Update tab
- Click Check for Updates
- If an update is found, it will download and install the latest version.
- The program will close to update and reopen.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Please post back with the MBAM log.
Thanks
Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself
Microsoft MVP 2011-2015
Threads will be closed if no response after 5 days.#15
Posted 04 October 2009 - 11:34 AM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users