Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie: Virtumonde, Purityscan, Win32trats, Agent.aoy Etc


  • Please log in to reply
15 replies to this topic

#1 moera

moera

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 08 February 2008 - 01:38 PM

Hello,
My computer was acting strangely slow mouse acting weird etc... Spybot search and destroy wasn't working so I installed PC Tools spyware and anti virus which turned up a bunch of nasties which I quarantined.
Now I get a constant error message "the program [c:\windows\explorer.exe] caused a problem and is going to close. Would you like to save a dump file?

List of nasties found by spyware doctor and anti virus:

Trojan.Virtumonde 32 details for this show C\windows\system32\ikkj.ini HKEY_CLASSES_ROOT\CLSID
Adware.Adsponser 74
Trojan.PurityScan 11
Trojan.Agent.AOY 17 details are HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Enum\Root\LEGACY_DOMAINSERVICE and a bunch of lines like this.
Adware.Media.Tickets
Trojan-Downloader.ConHook details for this show HKEY_USERS\S-1-5-21-xxxxxxxxxxx\software\Microsoft\MS Juan
Adware.Maxifiles 6
Virus.Win32Trats 25 details for this show c:\windows\system32\jikki.exe and igfxpers.exe.vzr, hkcmd.exe.vzr etc
Adware.Vundo 14 details for this show a bunch of dlls. C:\windows\system32\uwbsrpvel.dll, tbasxver.dll, phqghxic.dll, otagojka.dll, ntelhbwe.dll, kurkeakn.dll, jfiedfld.dll, hxuyoywe.dll and the list goes on.

After I quarantined these items I ran hijackthislog and this is what I got.

Here is my hijackthislog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:52:02 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
C:\WINDOWS\hh.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Claire\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-3508662953-893734198-667811734-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: USB Sharing.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Intel PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8511 bytes

I would appreciate all or any help.
Thanks

thumbup.gif

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 14 February 2008 - 02:23 PM

Hello moera,

We will run ComboFix. :thumbsup:

You need to disable your PC Tools Antivirus, Spyware Doctor and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.



Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. <== IMPORTANT

Post the ComboFix log.

Edited by SifuMike, 14 February 2008 - 02:24 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 19 February 2008 - 02:31 PM

Hello SifuMike,

Thanks for your help. Here are my new logs. I hope I've done everything right.

Moera

Attached Files



#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 19 February 2008 - 02:42 PM

Hi moera,

Please do not attach the ComboFix log as it is hard to read.
I dont need to see the Hijackthis log yet so you dont need to post it.
Just post the ComboFix log to this thread. Thanks. :thumbsup:

Edited by SifuMike, 19 February 2008 - 02:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 19 February 2008 - 05:59 PM

Hi SifuMike,

Sorry about that. I had no idea it was hard to read. Thanks for your help.

Here is the combofix log:

Im still getting the c:\windows\explorer.exe error.

ComboFix 08-02-19.2 - Claire 2008-02-19 11:06:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.587 [GMT -8:00]
Running from: C:\Documents and Settings\Claire\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\racle~1
C:\WINDOWS\appatc~1
C:\WINDOWS\appatc~1\A?pPatch\
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\cjpwyiim.ini
C:\WINDOWS\system32\ckovfbgl.ini
C:\WINDOWS\system32\dohypngl.ini
C:\WINDOWS\system32\hgokcckh.ini
C:\WINDOWS\system32\ilkkj.ini2
C:\WINDOWS\system32\irgyymun.ini
C:\WINDOWS\system32\jnuuktlj.ini
C:\WINDOWS\system32\kfirsxrh.ini
C:\WINDOWS\system32\lvprsbwu.ini
C:\WINDOWS\system32\ovtotxfh.ini
C:\WINDOWS\system32\oxjpibcf.ini
C:\WINDOWS\system32\rywmvply.ini
C:\WINDOWS\system32\skddutok.ini
C:\WINDOWS\system32\vbaupmwe.ini
C:\WINDOWS\system32\wojijdpo.ini
C:\WINDOWS\system32\wtssvtr32.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-01-20 17:59 . 2008-01-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-01-20 17:59 . 2008-01-20 17:58 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-20 17:58 . 2008-01-20 17:59 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-01-20 16:55 . 2008-01-20 17:07 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2008-01-20 16:55 . 2008-01-20 16:55 0 --a------ C:\WINDOWS\system32\8104297.jun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 19:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 19:10 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-19 18:15 --------- d-----w C:\Documents and Settings\Claire\Application Data\Lavasoft
2008-01-23 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-23 17:49 --------- d-----w C:\Program Files\Sling Media
2008-01-23 17:47 --------- d-----w C:\Program Files\QuickTime
2008-01-23 17:45 --------- d-----w C:\Program Files\Quicken
2008-01-23 17:43 --------- d-----w C:\Program Files\Skype
2008-01-23 17:43 --------- d-----w C:\Program Files\Iomega
2008-01-21 02:38 --------- d-----w C:\Program Files\iTunes
2008-01-21 02:38 --------- d-----w C:\Program Files\Hide My IP 2007
2008-01-21 02:38 --------- d-----w C:\Program Files\Apoint
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\Claire\Application Data\ParetoLogic
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-01-17 23:47 --------- d-----w C:\Program Files\Google
2008-01-15 19:20 --------- d-----w C:\Program Files\Sony
2008-01-15 16:37 --------- d-----w C:\Program Files\USB Sharing
2008-01-15 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-01-14 17:09 --------- d-----w C:\Documents and Settings\Claire\Application Data\PC Tools
2008-01-14 16:11 2,048 ----a-w C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-01-14 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-14 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-14 15:51 --------- d-----w C:\Program Files\Common Files\iS3
2008-01-11 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-11 20:53 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-11 19:12 994,096 ----a-w C:\WINDOWS\vVX6000 .exe
2008-01-11 19:11 98,304 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-01-11 19:11 77,824 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-01-11 19:11 118,784 ----a-w C:\WINDOWS\system32\igfxpers .exe
2008-01-10 18:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Bytemobile
2008-01-02 23:48 --------- d-----w C:\Documents and Settings\Claire\Application Data\AdobeUM
2007-12-29 19:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-12-29 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.
<pre>
----a-w		   307,200 2008-01-11 19:12:57  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w		   118,784 2008-01-11 19:11:27  C:\Program Files\Apoint\Apoint .exe
----a-w		   880,640 2008-01-11 19:13:01  C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
----a-w		   147,456 2008-01-11 19:12:08  C:\Program Files\Iomega\AutoDisk\ADUserMon .exe
----a-w			32,768 2008-01-11 19:12:20  C:\Program Files\Iomega\DriveIcons\deskup .exe
----a-w			86,016 2008-01-11 19:12:14  C:\Program Files\Iomega\DriveIcons\ImgIcon .exe
----a-w		   257,088 2008-01-11 19:12:02  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2008-01-11 19:11:37  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-01-11 19:12:37  C:\Program Files\Messenger\msmsgs .exe
----a-w		   282,624 2008-01-14 16:48:27  C:\Program Files\QuickTime\qttask							 .exe
----a-w			32,768 2008-01-11 19:11:43  C:\Program Files\Sony\ISB Utility\ISBMgr .exe
----a-w			69,632 2008-01-11 19:11:51  C:\Program Files\Sony\VAIO Camera Utility\VCUServe .exe
----a-w		   217,088 2008-01-11 19:11:38  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   679,936 2008-01-11 19:11:57  C:\Program Files\Sony\VAIO Security Center\VSC .exe
----a-w		   258,048 2008-01-11 19:11:59  C:\Program Files\Sony\VAIO Survey\surveysa .exe
----a-w		   151,552 2008-01-11 19:11:45  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   167,936 2008-01-10 18:45:03  C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
----a-w		 1,415,824 2007-12-29 19:19:12  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   204,288 2008-01-11 19:12:51  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w		 4,617,720 2008-01-11 19:12:43  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   994,096 2008-01-11 19:12:05  C:\WINDOWS\vVX6000 .exe
----a-w			64,512 2008-01-11 19:11:27  C:\WINDOWS\ehome\ehtray .exe
----a-w			28,672 2008-01-11 19:11:32  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			77,824 2008-01-11 19:11:21  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-11 19:11:24  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-11 19:11:19  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [ ]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [ ]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-31 08:40:16 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [2004-06-09 14:16:08 471040]
USB Sharing.lnk - C:\Program Files\USB Sharing\usbshare.exe [2006-07-21 14:40:09 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 17:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-20 17:58]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 17:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 18:32]
S3 SonyImgF;Sony Image Conversion Filter Driver;C:\WINDOWS\system32\DRIVERS\SonyImgF.sys [2005-12-27 15:22]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys [2006-06-29 15:56]
S4 SecureSrv;SecureSrv;C:\Program Files\Hide My IP 2007\SecureSrv.exe [2007-06-21 03:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ac7531c-b58c-11dc-a61e-0013023b3ebf}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d65cb8a-bf63-11da-981c-806d6172696f}]
\Shell\AutoRun\command - E:\sony\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 11:10:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\securenet.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-02-19 11:13:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 19:13:09
.
2008-01-10 17:47:54 --- E O F ---

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 19 February 2008 - 06:35 PM

Hi moera,


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

RenV:: 
----a-w 307,200 2008-01-11 19:12:57C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w 118,784 2008-01-11 19:11:27C:\Program Files\Apoint\Apoint .exe
----a-w 880,640 2008-01-11 19:13:01C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
----a-w 147,456 2008-01-11 19:12:08C:\Program Files\Iomega\AutoDisk\ADUserMon .exe
----a-w32,768 2008-01-11 19:12:20C:\Program Files\Iomega\DriveIcons\deskup .exe
----a-w86,016 2008-01-11 19:12:14C:\Program Files\Iomega\DriveIcons\ImgIcon .exe
----a-w 257,088 2008-01-11 19:12:02C:\Program Files\iTunes\iTunesHelper .exe
----a-w36,975 2008-01-11 19:11:37C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w 1,694,208 2008-01-11 19:12:37C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-14 16:48:27C:\Program Files\QuickTime\qttask .exe
----a-w32,768 2008-01-11 19:11:43C:\Program Files\Sony\ISB Utility\ISBMgr .exe
----a-w69,632 2008-01-11 19:11:51C:\Program Files\Sony\VAIO Camera Utility\VCUServe .exe
----a-w 217,088 2008-01-11 19:11:38C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w 679,936 2008-01-11 19:11:57C:\Program Files\Sony\VAIO Security Center\VSC .exe
----a-w 258,048 2008-01-11 19:11:59C:\Program Files\Sony\VAIO Survey\surveysa .exe
----a-w 151,552 2008-01-11 19:11:45C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w 167,936 2008-01-10 18:45:03C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
----a-w 1,415,824 2007-12-29 19:19:12C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 204,288 2008-01-11 19:12:51C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w 4,617,720 2008-01-11 19:12:43C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 994,096 2008-01-11 19:12:05C:\WINDOWS\vVX6000 .exe
----a-w64,512 2008-01-11 19:11:27C:\WINDOWS\ehome\ehtray .exe
----a-w28,672 2008-01-11 19:11:32C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w77,824 2008-01-11 19:11:21C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-11 19:11:24C:\WINDOWS\system32\igfxpers .exe
----a-w98,304 2008-01-11 19:11:19C:\WINDOWS\system32\igfxtray .exe


Name the Notepad file CFScript.txt and Save it to your desktop.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 19 February 2008 - 07:31 PM

Hello Once again SifuMike,

Here are my logs for ComboFix and HJT after running your script in notepad. Thanks for your help once again.

Moera :thumbsup:

ComboFix 08-02-19.2 - Claire 2008-02-19 16:21:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -8:00]
Running from: C:\Documents and Settings\Claire\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Claire\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 14:50 . 2008-02-19 14:50 0 --a------ C:\WINDOWS\JDSecure20.INI
2008-02-19 13:35 . 2008-02-19 13:35 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-19 12:52 . 2008-02-19 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-20 17:59 . 2008-01-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-01-20 17:59 . 2008-01-20 17:58 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-20 17:58 . 2008-01-20 17:59 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-01-20 16:55 . 2008-01-20 17:07 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2008-01-20 16:55 . 2008-01-20 16:55 0 --a------ C:\WINDOWS\system32\8104297.jun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 00:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 22:37 --------- d-----w C:\Documents and Settings\Claire\Application Data\Yahoo!
2008-02-19 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-19 22:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-19 19:25 --------- d-----w C:\Program Files\Trend Micro
2008-02-19 18:15 --------- d-----w C:\Documents and Settings\Claire\Application Data\Lavasoft
2008-01-23 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-23 17:49 --------- d-----w C:\Program Files\Sling Media
2008-01-23 17:47 --------- d-----w C:\Program Files\QuickTime
2008-01-23 17:45 --------- d-----w C:\Program Files\Quicken
2008-01-23 17:43 --------- d-----w C:\Program Files\Skype
2008-01-23 17:43 --------- d-----w C:\Program Files\Iomega
2008-01-21 02:38 --------- d-----w C:\Program Files\iTunes
2008-01-21 02:38 --------- d-----w C:\Program Files\Hide My IP 2007
2008-01-21 02:38 --------- d-----w C:\Program Files\Apoint
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\Claire\Application Data\ParetoLogic
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-01-17 23:47 --------- d-----w C:\Program Files\Google
2008-01-15 19:20 --------- d-----w C:\Program Files\Sony
2008-01-15 16:37 --------- d-----w C:\Program Files\USB Sharing
2008-01-15 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-01-14 17:09 --------- d-----w C:\Documents and Settings\Claire\Application Data\PC Tools
2008-01-14 16:11 2,048 ----a-w C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-01-14 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-14 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-14 15:51 --------- d-----w C:\Program Files\Common Files\iS3
2008-01-11 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-11 20:53 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-11 19:12 994,096 ----a-w C:\WINDOWS\vVX6000 .exe
2008-01-11 19:11 98,304 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-01-11 19:11 77,824 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-01-11 19:11 118,784 ----a-w C:\WINDOWS\system32\igfxpers .exe
2008-01-10 18:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Bytemobile
2008-01-02 23:48 --------- d-----w C:\Documents and Settings\Claire\Application Data\AdobeUM
2007-12-29 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.
<pre>
----a-w		   118,784 2008-01-11 19:11:27  C:\Program Files\Apoint\Apoint .exe
----a-w		   880,640 2008-01-11 19:13:01  C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
----a-w		   147,456 2008-01-11 19:12:08  C:\Program Files\Iomega\AutoDisk\ADUserMon .exe
----a-w			32,768 2008-01-11 19:12:20  C:\Program Files\Iomega\DriveIcons\deskup .exe
----a-w			86,016 2008-01-11 19:12:14  C:\Program Files\Iomega\DriveIcons\ImgIcon .exe
----a-w		   257,088 2008-01-11 19:12:02  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2008-01-11 19:11:37  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-01-11 19:12:37  C:\Program Files\Messenger\msmsgs .exe
----a-w		   282,624 2008-01-14 16:48:27  C:\Program Files\QuickTime\qttask							 .exe
----a-w			32,768 2008-01-11 19:11:43  C:\Program Files\Sony\ISB Utility\ISBMgr .exe
----a-w			69,632 2008-01-11 19:11:51  C:\Program Files\Sony\VAIO Camera Utility\VCUServe .exe
----a-w		   217,088 2008-01-11 19:11:38  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   679,936 2008-01-11 19:11:57  C:\Program Files\Sony\VAIO Security Center\VSC .exe
----a-w		   258,048 2008-01-11 19:11:59  C:\Program Files\Sony\VAIO Survey\surveysa .exe
----a-w		   151,552 2008-01-11 19:11:45  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   167,936 2008-01-10 18:45:03  C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
----a-w		   204,288 2008-01-11 19:12:51  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w		 4,617,720 2008-01-11 19:12:43  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   994,096 2008-01-11 19:12:05  C:\WINDOWS\vVX6000 .exe
----a-w			64,512 2008-01-11 19:11:27  C:\WINDOWS\ehome\ehtray .exe
----a-w			28,672 2008-01-11 19:11:32  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			77,824 2008-01-11 19:11:21  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-11 19:11:24  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-11 19:11:19  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [ ]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [ ]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [ ]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-31 08:40:16 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [2004-06-09 14:16:08 471040]
USB Sharing.lnk - C:\Program Files\USB Sharing\usbshare.exe [2006-07-21 14:40:09 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 17:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-20 17:58]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 17:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 18:32]
S3 SonyImgF;Sony Image Conversion Filter Driver;C:\WINDOWS\system32\DRIVERS\SonyImgF.sys [2005-12-27 15:22]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys [2006-06-29 15:56]
S4 SecureSrv;SecureSrv;C:\Program Files\Hide My IP 2007\SecureSrv.exe [2007-06-21 03:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ac7531c-b58c-11dc-a61e-0013023b3ebf}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d65cb8a-bf63-11da-981c-806d6172696f}]
\Shell\AutoRun\command - E:\sony\Autorun.exe

.
**************************************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:20 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 16:23:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 19 February 2008 - 09:42 PM

Hi moera,

I see no change in you log. :blink: For some reason those files are still showing. :thumbsup:

1. Are you sure you used NotePad? It will not work with any other text editor.
2. Did you copy and paste the text inside the code box? You should not include the word Code.
3. Did you drag the CFScript into ComboFix.exe as you see in the screenshot

Lets try again.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

RenV:: 
----a-w 118,784 2008-01-11 19:11:27C:\Program Files\Apoint\Apoint .exe
----a-w 880,640 2008-01-11 19:13:01C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
----a-w 147,456 2008-01-11 19:12:08C:\Program Files\Iomega\AutoDisk\ADUserMon .exe
----a-w32,768 2008-01-11 19:12:20C:\Program Files\Iomega\DriveIcons\deskup .exe
----a-w86,016 2008-01-11 19:12:14C:\Program Files\Iomega\DriveIcons\ImgIcon .exe
----a-w 257,088 2008-01-11 19:12:02C:\Program Files\iTunes\iTunesHelper .exe
----a-w36,975 2008-01-11 19:11:37C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w 1,694,208 2008-01-11 19:12:37C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-14 16:48:27C:\Program Files\QuickTime\qttask .exe
----a-w32,768 2008-01-11 19:11:43C:\Program Files\Sony\ISB Utility\ISBMgr .exe
----a-w69,632 2008-01-11 19:11:51C:\Program Files\Sony\VAIO Camera Utility\VCUServe .exe
----a-w 217,088 2008-01-11 19:11:38C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w 679,936 2008-01-11 19:11:57C:\Program Files\Sony\VAIO Security Center\VSC .exe
----a-w 258,048 2008-01-11 19:11:59C:\Program Files\Sony\VAIO Survey\surveysa .exe
----a-w 151,552 2008-01-11 19:11:45C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w 167,936 2008-01-10 18:45:03C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
----a-w 204,288 2008-01-11 19:12:51C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w 4,617,720 2008-01-11 19:12:43C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 994,096 2008-01-11 19:12:05C:\WINDOWS\vVX6000 .exe
----a-w64,512 2008-01-11 19:11:27C:\WINDOWS\ehome\ehtray .exe
----a-w28,672 2008-01-11 19:11:32C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w77,824 2008-01-11 19:11:21C:\WINDOWS\system32\hkcmd .exe
----a-w 118,784 2008-01-11 19:11:24C:\WINDOWS\system32\igfxpers .exe
----a-w98,304 2008-01-11 19:11:19C:\WINDOWS\system32\igfxtray .exe


Name the Notepad file CFScript.txt and Save it to your desktop.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Edited by SifuMike, 19 February 2008 - 09:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 20 February 2008 - 10:19 AM

Hello SifuMike,
I tried it again and was careful to use notepad and not include the word code. Here are my new logs.
moera

ComboFix 08-02-19.2 - Claire 2008-02-20 7:01:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.490 [GMT -8:00]
Running from: C:\Documents and Settings\Claire\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Claire\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-19 14:50 . 2008-02-19 14:50 0 --a------ C:\WINDOWS\JDSecure20.INI
2008-02-19 13:35 . 2008-02-19 13:35 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-19 12:52 . 2008-02-19 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-01-20 17:59 . 2008-01-20 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-01-20 17:59 . 2008-01-20 17:58 218,504 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-01-20 17:58 . 2008-01-20 17:59 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-01-20 16:55 . 2008-01-20 17:07 <DIR> d-------- C:\Program Files\Browser Hijack Recover
2008-01-20 16:55 . 2008-01-20 16:55 0 --a------ C:\WINDOWS\system32\8104297.jun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 15:01 --------- d-----w C:\Program Files\Apoint
2008-02-20 14:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-19 22:37 --------- d-----w C:\Documents and Settings\Claire\Application Data\Yahoo!
2008-02-19 22:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-19 22:14 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-19 19:25 --------- d-----w C:\Program Files\Trend Micro
2008-02-19 18:15 --------- d-----w C:\Documents and Settings\Claire\Application Data\Lavasoft
2008-01-23 17:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-23 17:49 --------- d-----w C:\Program Files\Sling Media
2008-01-23 17:47 --------- d-----w C:\Program Files\QuickTime
2008-01-23 17:45 --------- d-----w C:\Program Files\Quicken
2008-01-23 17:43 --------- d-----w C:\Program Files\Skype
2008-01-23 17:43 --------- d-----w C:\Program Files\Iomega
2008-01-21 02:38 --------- d-----w C:\Program Files\iTunes
2008-01-21 02:38 --------- d-----w C:\Program Files\Hide My IP 2007
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\Claire\Application Data\ParetoLogic
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-01-18 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-01-17 23:47 --------- d-----w C:\Program Files\Google
2008-01-15 19:20 --------- d-----w C:\Program Files\Sony
2008-01-15 16:37 --------- d-----w C:\Program Files\USB Sharing
2008-01-15 16:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-01-14 17:09 --------- d-----w C:\Documents and Settings\Claire\Application Data\PC Tools
2008-01-14 16:11 2,048 ----a-w C:\WINDOWS\system32\drivers\kgpfr.cfg
2008-01-14 16:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-01-14 15:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-01-14 15:51 --------- d-----w C:\Program Files\Common Files\iS3
2008-01-11 21:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-11 20:53 --------- d-----w C:\Program Files\Enigma Software Group
2008-01-11 19:12 994,096 ----a-w C:\WINDOWS\vVX6000 .exe
2008-01-11 19:11 98,304 ----a-w C:\WINDOWS\system32\igfxtray .exe
2008-01-11 19:11 77,824 ----a-w C:\WINDOWS\system32\hkcmd .exe
2008-01-11 19:11 118,784 ----a-w C:\WINDOWS\system32\igfxpers .exe
2008-01-10 18:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Bytemobile
2008-01-02 23:48 --------- d-----w C:\Documents and Settings\Claire\Application Data\AdobeUM
2007-12-29 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.
<pre>
----a-w		   880,640 2008-01-11 19:13:01  C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
----a-w		   147,456 2008-01-11 19:12:08  C:\Program Files\Iomega\AutoDisk\ADUserMon .exe
----a-w			32,768 2008-01-11 19:12:20  C:\Program Files\Iomega\DriveIcons\deskup .exe
----a-w			86,016 2008-01-11 19:12:14  C:\Program Files\Iomega\DriveIcons\ImgIcon .exe
----a-w		   257,088 2008-01-11 19:12:02  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2008-01-11 19:11:37  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-01-11 19:12:37  C:\Program Files\Messenger\msmsgs .exe
----a-w		   282,624 2008-01-14 16:48:27  C:\Program Files\QuickTime\qttask							 .exe
----a-w			32,768 2008-01-11 19:11:43  C:\Program Files\Sony\ISB Utility\ISBMgr .exe
----a-w			69,632 2008-01-11 19:11:51  C:\Program Files\Sony\VAIO Camera Utility\VCUServe .exe
----a-w		   217,088 2008-01-11 19:11:38  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   679,936 2008-01-11 19:11:57  C:\Program Files\Sony\VAIO Security Center\VSC .exe
----a-w		   258,048 2008-01-11 19:11:59  C:\Program Files\Sony\VAIO Survey\surveysa .exe
----a-w		   151,552 2008-01-11 19:11:45  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   167,936 2008-01-10 18:45:03  C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
----a-w		   204,288 2008-01-11 19:12:51  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w		 4,617,720 2008-01-11 19:12:43  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   994,096 2008-01-11 19:12:05  C:\WINDOWS\vVX6000 .exe
----a-w			64,512 2008-01-11 19:11:27  C:\WINDOWS\ehome\ehtray .exe
----a-w			28,672 2008-01-11 19:11:32  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			77,824 2008-01-11 19:11:21  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-11 19:11:24  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-11 19:11:19  C:\WINDOWS\system32\igfxtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2008-01-11 11:11 118784]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [ ]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ ]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [ ]
"Iomega Drive Icons"="C:\Program Files\Iomega\DriveIcons\ImgIcon.exe" [ ]
"Deskup"="C:\Program Files\Iomega\DriveIcons\deskup.exe" [ ]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2007-12-10 14:53 1103752]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-07-31 08:40:16 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HotSync Manager.lnk - C:\Program Files\Handspring\Hotsync.exe [2004-06-09 14:16:08 471040]
USB Sharing.lnk - C:\Program Files\USB Sharing\usbshare.exe [2006-07-21 14:40:09 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2005-05-20 17:42 73728 C:\WINDOWS\system32\VESWinlogon.dll

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-01-20 17:58]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 17:26]
R3 ti21sony;ti21sony;C:\WINDOWS\system32\drivers\ti21sony.sys [2006-02-21 18:32]
S3 SonyImgF;Sony Image Conversion Filter Driver;C:\WINDOWS\system32\DRIVERS\SonyImgF.sys [2005-12-27 15:22]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 17:23]
S3 VX6000;Microsoft LifeCam VX-6000;C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys [2006-06-29 15:56]
S4 SecureSrv;SecureSrv;C:\Program Files\Hide My IP 2007\SecureSrv.exe [2007-06-21 03:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ac7531c-b58c-11dc-a61e-0013023b3ebf}]
\Shell\AutoRun\command - F:\Autorun.exe /run
\Shell\Shell00\Command - F:\Autorun.exe /run
\Shell\Shell01\Command - F:\Autorun.exe /action
\Shell\Shell02\Command - F:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d65cb8a-bf63-11da-981c-806d6172696f}]
\Shell\AutoRun\command - E:\sony\Autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-20 07:03:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:04, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\USB Sharing\usbshare.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O4 - Global Startup: USB Sharing.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\securenet.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Unknown owner - C:\WINDOWS\system32\bmwebcfg.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 8298 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 20 February 2008 - 10:32 AM

Hi moera,

Download RenV.exe to your desktop, double click to run it:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

When its finished it will produce a Log.
Please post the contents of that Log into your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 20 February 2008 - 10:44 AM

Hello SifuMike,
Downloaded and ran that program. Here is the log

Moera

Ran on 2008-02-20 -  7:41:53.12

----a-w		   880,640 2008-01-11 19:13:01  C:\Program Files\Hide My IP 2007\HideMyIP2007 .exe
----a-w		   147,456 2008-01-11 19:12:08  C:\Program Files\Iomega\AutoDisk\ADUserMon .exe
----a-w			32,768 2008-01-11 19:12:20  C:\Program Files\Iomega\DriveIcons\deskup .exe
----a-w			86,016 2008-01-11 19:12:14  C:\Program Files\Iomega\DriveIcons\ImgIcon .exe
----a-w		   257,088 2008-01-11 19:12:02  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			36,975 2008-01-11 19:11:37  C:\Program Files\Java\jre1.5.0_06\bin\jusched .exe
----a-w		 1,694,208 2008-01-11 19:12:37  C:\Program Files\Messenger\msmsgs .exe
----a-w		   282,624 2008-01-14 16:48:27  C:\Program Files\QuickTime\qttask							 .exe
----a-w			32,768 2008-01-11 19:11:43  C:\Program Files\Sony\ISB Utility\ISBMgr .exe
----a-w			69,632 2008-01-11 19:11:51  C:\Program Files\Sony\VAIO Camera Utility\VCUServe .exe
----a-w		   217,088 2008-01-11 19:11:38  C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
----a-w		   679,936 2008-01-11 19:11:57  C:\Program Files\Sony\VAIO Security Center\VSC .exe
----a-w		   258,048 2008-01-11 19:11:59  C:\Program Files\Sony\VAIO Survey\surveysa .exe
----a-w		   151,552 2008-01-11 19:11:45  C:\Program Files\Sony\VAIO Update 2\VAIOUpdt .exe
----a-w		   167,936 2008-01-10 18:45:03  C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
----a-w		   204,288 2008-01-11 19:12:51  C:\Program Files\Windows Media Player\WMPNSCFG .exe
----a-w		 4,617,720 2008-01-11 19:12:43  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   994,096 2008-01-11 19:12:05  C:\WINDOWS\vVX6000 .exe
----a-w			64,512 2008-01-11 19:11:27  C:\WINDOWS\ehome\ehtray .exe
----a-w			28,672 2008-01-11 19:11:32  C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal .exe
----a-w			77,824 2008-01-11 19:11:21  C:\WINDOWS\system32\hkcmd .exe
----a-w		   118,784 2008-01-11 19:11:24  C:\WINDOWS\system32\igfxpers .exe
----a-w			98,304 2008-01-11 19:11:19  C:\WINDOWS\system32\igfxtray .exe

 Entries:			   23  (23)
 Directories:			0  Files:			23
 Bytes:		 11,198,935  Blocks:	   21,875


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 20 February 2008 - 10:56 AM

Hi moera,

Posted Image

Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you.
Post that log in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 20 February 2008 - 11:01 AM

Hi SifuMike,

I did that and here is what I got

Ran on 2008-02-20 -  7:59:58.15

 Entries:				0  (0)
 Directories:			0  Files:			 0
 Bytes:				  0  Blocks:			0

Moera

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:24 AM

Posted 20 February 2008 - 11:08 AM

Hi moera,

That is great! :thumbsup:

Please perform this online scan: Kaspersky Webscan

Note that you need to run this scan with Internet Explorer for it to work correctly.

If you have any problem running the scan to completion, disable your Antivirus and/or firewall temporarily, just refrain from surfing around while the scan is running and be sure to re-enable when done.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

1. Read the Requirements and Privacy statement, then select "Accept"

2. A dialogue box will appear asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat step 1.

3. Select "Install" to download the ActiveX controls that allows Kaspersky to run.

4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"

5. Wait for the scanner to initialize and update its databases. When the download is complete it will say ready, click "Next"

6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer" and the scan will begin.

8. Once the scan is complete it will display if your system has been infected.
Now click on the Save Report As... button:
Under Save as type select Text file write name for the file and save it to your Desktop.
Locate the file at the Desktop, open it, then copy and paste that information in your next post.


9. Post the Kaspersky scan results in your next reply.

Edited by SifuMike, 20 February 2008 - 11:09 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 moera

moera
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:24 AM

Posted 20 February 2008 - 12:01 PM

SifuMike,

Just one problem. My internet explorer wont run. It reports the following error msg and freezes my machine. I had to reboot.

The program ["c:\Program Files\Internet Explorer\iexplorer.exe"] caused a problem and is going to close. Would you like to save a dump file?
It froze and I rebooted and got some weird error msg like imghook did not load and needed to be reinstalled and pc tools has reported 171 new infections when it rebooted. Not sure what's happening but it seems I'm very far from running you last set of instructions.

Moera




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users