Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Please help. Need to remove tavo.exe, kavo.exe, cc.exe

Started by MinnieGrlC , Apr 02 2008 05:46 PM

  • This topic is locked This topic is locked
33 replies to this topic

#16 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 April 2008 - 04:08 AM

Hi

We can scan it. Follow the instructions below, and select Custom scan, and direct the scanner to scan your external drive.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select whatever drive letter the external drive is
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

    Advertisements

Register to Remove

#17 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 08 April 2008 - 01:30 PM

Hi Scotty, Here are the results from the Kaspersky scan. Tuesday, April 08, 2008 3:17:25 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 8/04/2008 Kaspersky Anti-Virus database records: 690384 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics Total number of scanned objects 100993 Number of viruses found 3 Number of infected objects 5 Number of suspicious objects 0 Duration of the scan process 01:11:35 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\X\Cookies\index.dat Object is locked skipped C:\Documents and Settings\X\Desktop\Fixing Computer\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped C:\Documents and Settings\X\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\X\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\History\History.IE5\MSHist012008040820080409\index.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\X\NTUSER.DAT Object is locked skipped C:\Documents and Settings\X\ntuser.dat.LOG Object is locked skipped C:\Program Files\Trend Micro\Internet Security\Quarantine\cc[1].exe Infected: Trojan.Win32.Vaklik.yu skipped C:\Program Files\Trend Micro\Internet Security\Quarantine\ff[1].exe Infected: Trojan.Win32.Vaklik.yp skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP29\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{698E97E9-0DB8-4CC0-AAEA-60F3BFF4679C}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\JET56AB.tmp Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\i0.cmd Infected: Trojan.Win32.Vaklik.yp skipped H:\i0.cmd Infected: Trojan.Win32.Vaklik.yp skipped Scan process completed.

#18 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 08 April 2008 - 02:20 PM

Hi You have a couple of files in Trend Micro's quarantine that need to go. What are the drives D & H?
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#19 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 08 April 2008 - 08:14 PM

Hi Scotty, The D drive is just a partition of my internal hard drive. The H drive is the external hard drive. I went ahead and used Trend to delete the quarantined files. Is this all I need to do? It seems as if the same files come back during a virus scan no matter how many times I delete them. I then manually went to the quarantined files by going to Program Files > Trend Micro > Internet Security > Quarantine. The cc[1].exe and ff[1].exe files are in there. When I try to delete it, it gives me an error message that says Cannot cc[1].exe. Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use. The same error message happens when I tried to delete the ff[1].exe. Help please :(

Edited by MinnieGrlC, 08 April 2008 - 08:19 PM.

#20 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 April 2008 - 05:39 AM

Okay, lets see whats going on.

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#21 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 09 April 2008 - 09:52 AM

Hi Scotty,

Here are the logs

COMBOFIX LOG

ComboFix 08-04-08.10 - X 2008-04-09 11:33:37.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -4:00]
Running from: C:\Documents and Settings\X\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-08 12:47 . 2008-04-08 12:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 12:47 . 2008-04-08 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-07 21:15 . 2008-04-07 21:15 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Documents and Settings\X\Application Data\Malwarebytes
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 12:40 . 2008-04-06 12:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-03 17:25 . 2008-04-03 17:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 17:25 . 2008-04-03 17:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 17:24 . 2008-04-03 17:24 <DIR> d-------- C:\Documents and Settings\X\Application Data\Apple Computer
2008-04-03 17:22 . 2008-04-03 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-03 17:21 . 2008-04-03 18:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-02 22:41 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-02 22:41 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-02 22:41 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-02 21:36 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 20:58 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-02 20:58 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-02 20:05 . 2008-04-08 15:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:48 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-02 18:13 . 2008-04-02 18:13 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-02 18:11 . 2008-04-02 18:11 <DIR> d-------- C:\WINDOWS\ShellNew
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Documents and Settings\X\Application Data\Microsoft Web Folders
2008-04-02 17:51 . 2004-08-04 02:07 59,264 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys
2008-04-02 17:51 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-02 17:51 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-02 17:51 . 2004-08-04 03:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-02 17:51 . 2001-08-17 17:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-02 16:55 . 2008-02-16 01:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-02 16:55 . 2008-02-16 01:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-02 16:55 . 2008-02-16 01:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-02 16:54 . 2008-04-02 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-02 16:43 . 2003-02-28 19:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\WINDOWS\peernet
2008-04-02 16:26 . 2008-04-02 16:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 16:22 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 16:19 . 2008-04-02 16:19 <DIR> d-------- C:\WINDOWS\EHome
2008-04-02 16:13 . 2004-08-04 01:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-04-02 16:13 . 2004-08-02 15:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-04-02 16:13 . 2004-08-02 15:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-04-02 16:00 . 2008-04-02 16:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-02 15:59 . 2008-04-02 15:59 <DIR> d-------- C:\Documents and Settings\X\Application Data\acccore
2008-04-02 15:59 . 2004-08-04 03:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-04-02 15:59 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-02 15:59 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-02 15:59 . 2004-08-04 03:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-02 15:59 . 2004-08-04 03:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-02 15:59 . 2008-04-02 15:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 15:58 . 2008-04-02 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-02 15:58 . 2008-04-02 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-02 15:57 . 2008-04-02 15:57 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-02 14:57 . 2008-04-02 15:59 <DIR> d-------- C:\Program Files\AIM6
2008-04-02 14:57 . 2008-04-02 14:57 <DIR> d---s---- C:\Documents and Settings\X\UserData
2008-04-02 14:56 . 2008-04-02 14:56 <DIR> d-------- C:\Program Files\Samsung ML-2010 Series
2008-04-02 14:56 . 2005-03-14 01:01 766 --------- C:\WINDOWS\Uninstall.ico
2008-04-02 14:55 . 2008-04-02 14:56 <DIR> d-------- C:\WINDOWS\Samsung
2008-04-02 14:55 . 2005-03-14 01:01 208,896 --------- C:\WINDOWS\system32\SSRemove.exe
2008-04-02 14:55 . 2005-03-03 00:32 151,552 --a------ C:\WINDOWS\system32\SSCoInst.exe
2008-04-02 14:55 . 2005-03-03 06:09 57,344 --a------ C:\WINDOWS\system32\SSCoInst.dll
2008-04-02 14:55 . 2005-03-14 01:01 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-04-02 14:55 . 2005-04-07 22:29 20,622 --a------ C:\WINDOWS\system32\SUGS2LMK.DLL
2008-04-02 14:55 . 2005-03-14 01:01 8,478 --------- C:\WINDOWS\system32\SP119.ICO
2008-04-02 14:55 . 2005-03-03 07:23 604 --a------ C:\WINDOWS\system32\SUGS2LMK.SMT
2008-04-02 14:53 . 2008-04-02 14:53 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 14:53 . 2002-08-03 12:17 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-04-02 14:53 . 2002-08-03 12:17 <DIR> d-------- C:\Documents and Settings\X\WINDOWS
2008-04-02 14:53 . 2002-08-15 13:32 <DIR> d-------- C:\Documents and Settings\X\Application Data\Sony Corporation
2008-04-02 14:53 . 2002-08-15 13:30 <DIR> d-------- C:\Documents and Settings\X\Application Data\InterTrust
2008-04-02 14:53 . 2002-08-03 12:17 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-04-02 14:53 . 2002-08-15 13:32 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Sony Corporation
2008-04-02 14:53 . 2002-08-15 13:30 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 17:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 22:05 --------- d-----w C:\Program Files\QuickTime
2008-04-03 00:08 --------- d-----w C:\Program Files\Trend Micro
2008-04-02 22:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 18:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 05:07 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2008-02-16 05:07 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-02-16 05:07 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-02-16 05:07 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 20:17 102400]
"SiS Tray"="" []
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 12:22 32768 C:\WINDOWS\LTSMMSG.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 20:17 40960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2002-08-15 13:44 146432]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 15:50 11406]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 03:20 372736]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 15:19 1398024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-21 21:00:00 65588]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 13:26:39 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-07-20 12:22]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 11:41:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\WScript.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-09 11:47:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 15:46:47
ComboFix2.txt 2008-04-06 14:21:18
Pre-Run: 12,198,912,000 bytes free
Post-Run: 12,187,926,528 bytes free
.
2008-04-08 19:54:47 --- E O F ---

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47, on 2008-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207162649530
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207162641873
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 5845 bytes

#22 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 09 April 2008 - 02:21 PM

Could you find the full file names for those two files, for example, C:\Windows\system32\ cc[1].exe

Then check these three folders are indeed empty:
C:\WINDOWS\system32\config\systemprofile\WINDOWS
C:\Documents and Settings\X\WINDOWS
C:\Documents and Settings\Default User\WINDOWS
If they are delete them.



Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

KillAll::
 
File::
D:\i0.cmd
H:\i0.cmd

DirLook::
C:\WINDOWS\system32\Microsoft

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#23 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 09 April 2008 - 06:01 PM

Hi Scotty,

I went ahead and deleted the 3 folders.

I tried looking for the full name of cc[1].exe and ff[1].exe, but I could not find it. The only place I see them on my computer is in Trend's quarantine folder, C:\Program Files\Trend Micro\Internet Security\Quarantine.

Here are the logs.

COMBOFIX LOG

ComboFix 08-04-08.10 - X 2008-04-09 7:38:35.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -4:00]
Running from: C:\Documents and Settings\X\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\X\Desktop\CFScript.txt
* Created a new restore point

FILE ::
D:\i0.cmd
H:\i0.cmd
.

((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 06:47 . 2008-04-09 06:47 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-08 12:47 . 2008-04-08 12:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 12:47 . 2008-04-08 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-07 21:15 . 2008-04-07 21:15 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Documents and Settings\X\Application Data\Malwarebytes
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 12:40 . 2008-04-06 12:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-03 17:25 . 2008-04-03 17:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 17:25 . 2008-04-03 17:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 17:24 . 2008-04-03 17:24 <DIR> d-------- C:\Documents and Settings\X\Application Data\Apple Computer
2008-04-03 17:22 . 2008-04-03 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-03 17:21 . 2008-04-03 18:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-02 22:41 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-02 22:41 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-02 22:41 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-02 21:36 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 20:58 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-02 20:58 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-02 20:05 . 2008-04-08 15:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:48 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-02 18:13 . 2008-04-02 18:13 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-02 18:11 . 2008-04-02 18:11 <DIR> d-------- C:\WINDOWS\ShellNew
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Documents and Settings\X\Application Data\Microsoft Web Folders
2008-04-02 17:51 . 2004-08-04 02:07 59,264 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys
2008-04-02 17:51 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-02 17:51 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-02 17:51 . 2004-08-04 03:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-02 17:51 . 2001-08-17 17:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-02 16:55 . 2008-02-16 01:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-02 16:55 . 2008-02-16 01:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-02 16:55 . 2008-02-16 01:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-02 16:54 . 2008-04-02 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-02 16:43 . 2003-02-28 19:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\WINDOWS\peernet
2008-04-02 16:26 . 2008-04-02 16:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 16:22 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 16:19 . 2008-04-02 16:19 <DIR> d-------- C:\WINDOWS\EHome
2008-04-02 16:13 . 2004-08-04 01:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-04-02 16:13 . 2004-08-02 15:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-04-02 16:13 . 2004-08-02 15:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-04-02 16:00 . 2008-04-02 16:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-02 15:59 . 2008-04-02 15:59 <DIR> d-------- C:\Documents and Settings\X\Application Data\acccore
2008-04-02 15:59 . 2004-08-04 03:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-04-02 15:59 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-02 15:59 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-02 15:59 . 2004-08-04 03:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-02 15:59 . 2004-08-04 03:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-02 15:59 . 2008-04-02 15:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 15:58 . 2008-04-02 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-02 15:58 . 2008-04-02 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-02 15:57 . 2008-04-02 15:57 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-02 14:57 . 2008-04-02 15:59 <DIR> d-------- C:\Program Files\AIM6
2008-04-02 14:57 . 2008-04-02 14:57 <DIR> d---s---- C:\Documents and Settings\X\UserData
2008-04-02 14:56 . 2008-04-02 14:56 <DIR> d-------- C:\Program Files\Samsung ML-2010 Series
2008-04-02 14:56 . 2005-03-14 01:01 766 --------- C:\WINDOWS\Uninstall.ico
2008-04-02 14:55 . 2008-04-02 14:56 <DIR> d-------- C:\WINDOWS\Samsung
2008-04-02 14:55 . 2005-03-14 01:01 208,896 --------- C:\WINDOWS\system32\SSRemove.exe
2008-04-02 14:55 . 2005-03-03 00:32 151,552 --a------ C:\WINDOWS\system32\SSCoInst.exe
2008-04-02 14:55 . 2005-03-03 06:09 57,344 --a------ C:\WINDOWS\system32\SSCoInst.dll
2008-04-02 14:55 . 2005-03-14 01:01 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-04-02 14:55 . 2005-04-07 22:29 20,622 --a------ C:\WINDOWS\system32\SUGS2LMK.DLL
2008-04-02 14:55 . 2005-03-14 01:01 8,478 --------- C:\WINDOWS\system32\SP119.ICO
2008-04-02 14:55 . 2005-03-03 07:23 604 --a------ C:\WINDOWS\system32\SUGS2LMK.SMT
2008-04-02 14:53 . 2008-04-02 14:53 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 14:53 . 2002-08-15 13:32 <DIR> d-------- C:\Documents and Settings\X\Application Data\Sony Corporation
2008-04-02 14:53 . 2002-08-15 13:30 <DIR> d-------- C:\Documents and Settings\X\Application Data\InterTrust
2008-04-02 14:53 . 2002-08-15 13:32 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Sony Corporation
2008-04-02 14:53 . 2002-08-15 13:30 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 17:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 22:05 --------- d-----w C:\Program Files\QuickTime
2008-04-03 00:08 --------- d-----w C:\Program Files\Trend Micro
2008-04-02 22:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 18:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-16 05:07 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2008-02-16 05:07 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-02-16 05:07 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-02-16 05:07 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\Microsoft ----

2008-04-02 14:53 388 --ahs---- C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\242be35d-23fe-4f6f-a315-8518d7df7acc
2008-04-02 14:53 24 --ahs---- C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 20:17 102400]
"SiS Tray"="" []
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 12:22 32768 C:\WINDOWS\LTSMMSG.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 20:17 40960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2002-08-15 13:44 146432]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 15:50 11406]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 03:20 372736]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 15:19 1398024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-21 21:00:00 65588]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 13:26:39 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-07-20 12:22]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 07:45:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\WScript.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-09 7:50:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 11:50:29
ComboFix2.txt 2008-04-09 15:47:04
ComboFix3.txt 2008-04-06 14:21:18
Pre-Run: 12,150,714,368 bytes free
Post-Run: 12,140,220,416 bytes free
.
2008-04-08 19:54:47 --- E O F ---

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:51, on 2008-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207162649530
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207162641873
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 5878 bytes

#24 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 10 April 2008 - 03:53 AM

Hi

Navigate to and delete the following files and/or folders (if they are present):

Files:
D:\i0.cmd
H:\i0.cmd


Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C 

KillAll::
 
File::
C:\Program Files\Trend Micro\Internet Security\Quarantine\cc[1].exe
C:\Program Files\Trend Micro\Internet Security\Quarantine\ff[1].exe

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe


Lets run an F-Secure online scan it will scan for Viruses, Spyware and RootKits:
  • Click HERE
  • Scroll to the bottom of the page and click the Start Scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
    Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.


In your next reply post:
ComboFix.txt
F-Secure report
New HijackThis log taken after the above scan has run
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#25 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 10 April 2008 - 07:15 PM

Hi Scotty,

I tried to locate D:\i0.cmd and H:\i0.cmd, but did not see them on either drive.

Here are the logs

COMBOFIX LOG

ComboFix 08-04-08.10 - X 2008-04-10 18:26:26.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT -4:00]
Running from: C:\Documents and Settings\X\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\X\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Trend Micro\Internet Security\Quarantine\cc[1].exe
C:\Program Files\Trend Micro\Internet Security\Quarantine\ff[1].exe
.

((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
.

2008-04-09 06:47 . 2008-04-09 06:47 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-08 12:47 . 2008-04-08 12:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-08 12:47 . 2008-04-08 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-07 21:15 . 2008-04-07 21:15 1,158 --a------ C:\WINDOWS\mozver.dat
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Documents and Settings\X\Application Data\Malwarebytes
2008-04-06 12:41 . 2008-04-06 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-06 12:40 . 2008-04-06 12:40 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-03 17:25 . 2008-04-03 17:25 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-03 17:25 . 2008-04-03 17:25 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-03 17:24 . 2008-04-03 17:24 <DIR> d-------- C:\Documents and Settings\X\Application Data\Apple Computer
2008-04-03 17:22 . 2008-04-03 18:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-03 17:21 . 2008-04-03 18:11 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-02 22:41 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-02 22:41 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-02 22:41 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-02 21:36 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-04-02 20:58 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-02 20:58 . 2007-07-30 20:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-02 20:05 . 2008-04-08 15:54 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:48 . 2004-08-04 02:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-02 18:13 . 2008-04-02 18:13 376 --a------ C:\WINDOWS\ODBC.INI
2008-04-02 18:11 . 2008-04-02 18:11 <DIR> d-------- C:\WINDOWS\ShellNew
2008-04-02 18:09 . 2008-04-02 18:09 <DIR> d-------- C:\Documents and Settings\X\Application Data\Microsoft Web Folders
2008-04-02 17:51 . 2004-08-04 02:07 59,264 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys
2008-04-02 17:51 . 2004-08-04 02:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-02 17:51 . 2004-08-04 02:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-02 17:51 . 2004-08-04 03:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-04-02 17:51 . 2001-08-17 17:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-02 16:55 . 2008-02-16 01:07 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-02 16:55 . 2008-02-16 01:07 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-04-02 16:55 . 2008-02-16 01:07 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-04-02 16:54 . 2008-04-02 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-04-02 16:43 . 2003-02-28 19:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\WINDOWS\provisioning
2008-04-02 16:29 . 2008-04-02 16:29 <DIR> d-------- C:\WINDOWS\peernet
2008-04-02 16:26 . 2008-04-02 16:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-02 16:22 . 2005-06-28 11:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 16:19 . 2008-04-02 16:19 <DIR> d-------- C:\WINDOWS\EHome
2008-04-02 16:13 . 2004-08-04 01:56 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2008-04-02 16:13 . 2004-08-02 15:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-04-02 16:13 . 2004-08-02 15:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-04-02 16:00 . 2008-04-02 16:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-02 15:59 . 2008-04-02 15:59 <DIR> d-------- C:\Documents and Settings\X\Application Data\acccore
2008-04-02 15:59 . 2004-08-04 03:56 438,784 --------- C:\WINDOWS\system32\xpob2res.dll
2008-04-02 15:59 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-02 15:59 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-02 15:59 . 2004-08-04 03:56 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-02 15:59 . 2004-08-04 03:56 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-02 15:59 . 2008-04-02 15:59 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 15:58 . 2008-04-02 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-02 15:58 . 2008-04-02 15:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-04-02 15:57 . 2008-04-02 15:57 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-04-02 14:57 . 2008-04-02 15:59 <DIR> d-------- C:\Program Files\AIM6
2008-04-02 14:57 . 2008-04-02 14:57 <DIR> d---s---- C:\Documents and Settings\X\UserData
2008-04-02 14:56 . 2008-04-02 14:56 <DIR> d-------- C:\Program Files\Samsung ML-2010 Series
2008-04-02 14:56 . 2005-03-14 01:01 766 --------- C:\WINDOWS\Uninstall.ico
2008-04-02 14:55 . 2008-04-02 14:56 <DIR> d-------- C:\WINDOWS\Samsung
2008-04-02 14:55 . 2005-03-14 01:01 208,896 --------- C:\WINDOWS\system32\SSRemove.exe
2008-04-02 14:55 . 2005-03-03 00:32 151,552 --a------ C:\WINDOWS\system32\SSCoInst.exe
2008-04-02 14:55 . 2005-03-03 06:09 57,344 --a------ C:\WINDOWS\system32\SSCoInst.dll
2008-04-02 14:55 . 2005-03-14 01:01 41,984 --------- C:\WINDOWS\system32\drivers\DGIVECP.SYS
2008-04-02 14:55 . 2005-04-07 22:29 20,622 --a------ C:\WINDOWS\system32\SUGS2LMK.DLL
2008-04-02 14:55 . 2005-03-14 01:01 8,478 --------- C:\WINDOWS\system32\SP119.ICO
2008-04-02 14:55 . 2005-03-03 07:23 604 --a------ C:\WINDOWS\system32\SUGS2LMK.SMT
2008-04-02 14:53 . 2008-04-02 14:53 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 14:53 . 2002-08-15 13:32 <DIR> d-------- C:\Documents and Settings\X\Application Data\Sony Corporation
2008-04-02 14:53 . 2002-08-15 13:30 <DIR> d-------- C:\Documents and Settings\X\Application Data\InterTrust
2008-04-02 14:53 . 2002-08-15 13:32 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Sony Corporation
2008-04-02 14:53 . 2002-08-15 13:30 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\InterTrust

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 17:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-03 22:05 --------- d-----w C:\Program Files\QuickTime
2008-04-03 00:08 --------- d-----w C:\Program Files\Trend Micro
2008-04-02 22:09 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-02 18:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-16 05:07 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2008-02-16 05:07 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-02-16 05:07 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-02-16 05:07 1,126,072 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 20:17 102400]
"SiS Tray"="" []
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 12:22 32768 C:\WINDOWS\LTSMMSG.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 20:17 40960]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe" [2002-08-15 13:44 146432]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 15:50 11406]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 03:20 372736]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-26 15:19 1398024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-21 21:00:00 65588]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 13:26:39 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-07-20 12:22]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 18:33:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\WScript.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-10 18:39:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-10 22:39:28
ComboFix2.txt 2008-04-09 11:50:46
ComboFix3.txt 2008-04-09 15:47:04
ComboFix4.txt 2008-04-06 14:21:18
Pre-Run: 12,104,806,400 bytes free
Post-Run: 12,095,512,576 bytes free
.
2008-04-08 19:54:47 --- E O F ---

F-SECURE LOG

Scanning Report
Thursday, April 10, 2008 18:54:47 - 21:09:32

Computer name: CHRIS
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ H:\
Result: 2 malware found
Downloader.Win32.WinFixer (spyware)

* System

Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 75718
* System: 3037
* Not scanned: 8

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{6665F994-2704-44AB-B19C-639F9CA0581A}.BIN

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Hydra: 2.8.8110, 2008-04-10
* F-Secure AVP: 7.0.171, 2008-04-11
* F-Secure Pegasus: 1.20.0, 2008-02-28
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:11, on 2008-04-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\internet explorer\iexplore.exe
C:\DOCUME~1\X\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\X\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CheckHO Class - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1207162649530
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1207162641873
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecu...asyInstallX.CAB
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

--
End of file - 6481 bytes

    Advertisements

Register to Remove

#26 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 11 April 2008 - 02:22 AM

Okay. See if those files are still on your system. Use the search box.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#27 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 11 April 2008 - 04:41 PM

Hi Scotty, The first time I tried to locate the files I used the search function. I tried again, and I still cannot locate them. Thank you.

#28 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 11 April 2008 - 04:44 PM

Have another go with your anti-virus and see if they still appear.
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

#29 MinnieGrlC

MinnieGrlC

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 12 April 2008 - 07:58 AM

Hi Scotty, I scanned using Trend, and it did not turn up any viruses. I then did another Kaspersky scan, and it seems like the cc[1].exe and ff[1].exe are still there, but in another folder. Here is the log. 2008-04-12 04:39 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 12/04/2008 Kaspersky Anti-Virus database records: 699068 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics Total number of scanned objects 102132 Number of viruses found 3 Number of infected objects 5 Number of suspicious objects 0 Duration of the scan process 01:13:08 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\X\Cookies\index.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\X\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped C:\Documents and Settings\X\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\X\NTUSER.DAT Object is locked skipped C:\Documents and Settings\X\ntuser.dat.LOG Object is locked skipped C:\QooBox\Quarantine\C\Program Files\Trend Micro\Internet Security\Quarantine\cc[1].exe.vir Infected: Trojan.Win32.Vaklik.yu skipped C:\QooBox\Quarantine\C\Program Files\Trend Micro\Internet Security\Quarantine\ff[1].exe.vir Infected: Trojan.Win32.Vaklik.yp skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP36\A0007198.exe Infected: Trojan.Win32.Vaklik.yu skipped C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP36\A0007199.exe Infected: Trojan.Win32.Vaklik.yp skipped C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP36\A0007257.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP37\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{6665F994-2704-44AB-B19C-639F9CA0581A}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\JET6716.tmp Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

Edited by MinnieGrlC, 12 April 2008 - 07:59 AM.

#30 Scotty

Scotty

    Always Happy

  • Authentic Member
  • PipPipPipPipPip
  • 3,634 posts

Posted 12 April 2008 - 08:10 AM

Phew Combo has them.

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

    Posted Image

Then I refer you back to my all-clean speech earlier here
You too could train to help others- Join the Classroom

Posted Image

Posted Image
Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·