Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Red X On C Drive


  • Please log in to reply
2 replies to this topic

#1 Walter Sudol

Walter Sudol

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 02 March 2008 - 12:18 AM

When using internet explorer this week, webroot spy sweeper detect that unauthorized files were attempted to be loaded on the computer. I reply deny to the request, but soon afterwards I was getting unwanted ads displaying while using internet explorer and machine was slower than usual. I also noticed that a red x had appears on the c drive.

I did a search on google and came the conclusion that I should run combofix to fix the problem. Once running combofix, I was to run HijackThis. Ater preforming the above steps, I was to post the logs on the forum for further analysis. Note: While preforming the steps on how to use combofix, I believe I was unsuccessful installing the Windows XP Recovery Console.

Lastly, after performig the above steps, the red x in still on the c drive. I would like advise to analyze the logs to furhter fix this problem.

The log of combofix follows:

ComboFix 08-03-01.3 - wsudol 2008-03-01 20:42:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.628 [GMT -5:00]
Running from: C:\Documents and Settings\wsudol\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\apsui.dat
C:\WINDOWS\aqhnb.dat
C:\WINDOWS\bhnft.dat
C:\WINDOWS\bjxsw.dat
C:\WINDOWS\dgogf.dat
C:\WINDOWS\djsrk.dat
C:\WINDOWS\dprnt.dat
C:\WINDOWS\dtmls.dat
C:\WINDOWS\dyzzy.dat
C:\WINDOWS\eisjl.dat
C:\WINDOWS\ekeqg.dat
C:\WINDOWS\euqmj.dat
C:\WINDOWS\fkcsn.dat
C:\WINDOWS\fmydh.dat
C:\WINDOWS\gucuz.dat
C:\WINDOWS\gydgd.dat
C:\WINDOWS\idnhm.dat
C:\WINDOWS\iziho.dat
C:\WINDOWS\kcfzh.dat
C:\WINDOWS\kqcun.dat
C:\WINDOWS\lahkd.dat
C:\WINDOWS\lxium.dat
C:\WINDOWS\lzxwk.dat
C:\WINDOWS\mqcdw.dat
C:\WINDOWS\njxox.dat
C:\WINDOWS\nlato.dat
C:\WINDOWS\nyrio.dat
C:\WINDOWS\oefoz.dat
C:\WINDOWS\okxoj.dat
C:\WINDOWS\oogpr.dat
C:\WINDOWS\opqyv.dat
C:\WINDOWS\oruem.dat
C:\WINDOWS\paosu.dat
C:\WINDOWS\pvaoy.dat
C:\WINDOWS\qdylv.dat
C:\WINDOWS\qmppr.dat
C:\WINDOWS\rkswv.dat
C:\WINDOWS\rzuaq.dat
C:\WINDOWS\skrpo.dat
C:\WINDOWS\sqvan.dat
C:\WINDOWS\sxjzi.dat
C:\WINDOWS\system32\__c00144E2.dat
C:\WINDOWS\system32\__c0027C96.dat
C:\WINDOWS\system32\__c007C7F9.dat
C:\WINDOWS\system32\__c00EF6C4.dat
C:\WINDOWS\system32\ajparkfv.dll
C:\WINDOWS\system32\aldtu.dat
C:\WINDOWS\system32\atqld.dat
C:\WINDOWS\system32\bepyk.dat
C:\WINDOWS\system32\bxbxyhhh.dll
C:\WINDOWS\system32\catfz.dat
C:\WINDOWS\system32\czsuv.dat
C:\WINDOWS\system32\dcnee.dat
C:\WINDOWS\system32\dhnqhmam.dll
C:\WINDOWS\system32\dwwbg.dat
C:\WINDOWS\system32\ebkfy.dat
C:\WINDOWS\system32\edbhm.dat
C:\WINDOWS\system32\eotgr.dat
C:\WINDOWS\system32\erxleuor.dll
C:\WINDOWS\system32\fawvhgrt.dll
C:\WINDOWS\system32\fyltlhmc.dll
C:\WINDOWS\system32\fzynk.dat
C:\WINDOWS\system32\ghxdn.dat
C:\WINDOWS\system32\gohof.dat
C:\WINDOWS\system32\hafso.dat
C:\WINDOWS\system32\hxpnzfvt.dllbox
C:\WINDOWS\system32\idhab.dat
C:\WINDOWS\system32\jdawq.dat
C:\WINDOWS\system32\jzbfn.dat
C:\WINDOWS\system32\khzwl.dat
C:\WINDOWS\system32\ktomc.dat
C:\WINDOWS\system32\llvyy.dat
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjhsdtyx.dll
C:\WINDOWS\system32\mpofx.dat
C:\WINDOWS\system32\mrnag.dat
C:\WINDOWS\system32\muacyeqt.ini
C:\WINDOWS\system32\nhxyf.dat
C:\WINDOWS\system32\nlrtd.dat
C:\WINDOWS\system32\npowa.dat
C:\WINDOWS\system32\npqpm.dat
C:\WINDOWS\system32\ofnrt.dat
C:\WINDOWS\system32\omnve.dat
C:\WINDOWS\system32\opiee.dat
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\peybh.dat
C:\WINDOWS\system32\qfdtr.dat
C:\WINDOWS\system32\qoppq.dll
C:\WINDOWS\system32\qppoq.ini
C:\WINDOWS\system32\qppoq.ini2
C:\WINDOWS\system32\qwhri.dat
C:\WINDOWS\system32\rdspy.dat
C:\WINDOWS\system32\rglwv.dat
C:\WINDOWS\system32\sdepz.dat
C:\WINDOWS\system32\sjalt.dat
C:\WINDOWS\system32\tqeycaum.dll
C:\WINDOWS\system32\ubdgy.dat
C:\WINDOWS\system32\uwnkh.dat
C:\WINDOWS\system32\vghsf.dat
C:\WINDOWS\system32\vseajaeb.dll
C:\WINDOWS\system32\vwhgd.dat
C:\WINDOWS\system32\wgfhd.dat
C:\WINDOWS\system32\wsisu.dat
C:\WINDOWS\system32\xlqhv.dat
C:\WINDOWS\system32\xrbik.dat
C:\WINDOWS\system32\xytdshjm.ini
C:\WINDOWS\system32\zrrto.dat
C:\WINDOWS\towyr.dat
C:\WINDOWS\vkhth.dat
C:\WINDOWS\wdgiw.dat
C:\WINDOWS\wgvjy.dat
C:\WINDOWS\wgwjs.dat
C:\WINDOWS\wsxsr.dat
C:\WINDOWS\xbqsu.dat
C:\WINDOWS\xdusc.dat
C:\WINDOWS\xqstk.dat
C:\WINDOWS\yqdjw.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-01 00:56 . 2008-03-01 00:56 31,808 --a------ C:\WINDOWS\system32\fnctvhvr.dll
2008-02-28 23:57 . 2008-02-28 23:57 31,808 --a------ C:\WINDOWS\system32\cbtlblcj.dll
2008-02-28 23:54 . 2008-02-28 23:54 31,808 --a------ C:\WINDOWS\system32\xrdlxijh.dll
2008-02-28 23:54 . 2008-03-01 00:56 894 ---hs---- C:\WINDOWS\system32\doojxaco.ini
2008-02-27 23:52 . 2008-02-27 23:52 31,808 --a------ C:\WINDOWS\system32\wxbpdywe.dll
2008-02-27 23:51 . 2008-03-01 19:33 21 --a------ C:\WINDOWS\pskt.ini
2008-02-27 11:45 . 2008-02-27 11:45 <DIR> d-------- C:\WINDOWS\system32\jk8
2008-02-27 11:45 . 2008-02-27 11:49 <DIR> d-------- C:\Program Files\RABCO
2008-02-27 11:44 . 2008-02-27 11:44 <DIR> d-------- C:\WINDOWS\system32\iDlo01
2008-02-27 11:44 . 2008-02-27 11:45 <DIR> d-------- C:\WINDOWS\system32\hc4
2008-02-27 11:44 . 2008-02-27 11:44 <DIR> d-------- C:\WINDOWS\system32\fs7
2008-02-27 11:44 . 2008-02-27 11:44 <DIR> d-------- C:\WINDOWS\system32\dn5
2008-02-27 11:44 . 2008-02-27 12:22 <DIR> d-------- C:\WINDOWS\system32\cb2
2008-02-27 11:44 . 2008-02-27 11:45 <DIR> d-------- C:\WINDOWS\system32\ax3
2008-02-27 11:44 . 2008-02-27 11:44 <DIR> d-------- C:\TEMP\sanR24

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 17:59 164 ----a-w C:\install.dat
2008-01-22 17:51 --------- d-----w C:\Program Files\Webroot
2008-01-22 17:51 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Webroot
2008-01-22 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-22 17:50 --------- d-----w C:\Documents and Settings\wsudol\Application Data\Webroot
2008-01-22 17:50 --------- d-----w C:\Documents and Settings\wsudol\Application Data\U3
2008-01-22 17:37 --------- d-----w C:\Program Files\NoNAV
2008-01-22 17:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-22 17:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-22 17:32 --------- d-----w C:\Program Files\Symantec
2008-01-22 17:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-22 16:02 --------- d-----w C:\Documents and Settings\administrator.KENNEDYJOHNSON\Application Data\Lavasoft
2008-01-22 15:55 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-22 15:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 01:56 1,526,640 ----a-w C:\WINDOWS\WRSetup.dll
2008-01-05 01:34 23,920 ----a-w C:\WINDOWS\system32\drivers\sskbfd.sys
2008-01-05 01:34 21,872 ----a-w C:\WINDOWS\system32\drivers\sshrmd.sys
2008-01-05 01:34 20,336 ----a-w C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-01-05 01:34 163,696 ----a-w C:\WINDOWS\system32\drivers\ssidrv.sys
2008-01-04 17:10 --------- d-----w C:\Program Files\iTunes
2006-07-24 13:54 37,518,744 ----a-w C:\Program Files\iTunesSetup.exe
2006-03-29 02:01 138 -c--a-w C:\Program Files\INSTALL.LOG
2005-08-26 18:06 561,152 ----a-w C:\Documents and Settings\tempuser\chatlnk.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-16 19:51 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-09-19 16:35 114688]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 19:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-13 00:10 335872]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 02:56 33280 C:\WINDOWS\system32\rundll32.exe]
"Mouse Suite 98 Daemon"="ICO.EXE" []
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 13:00 90112]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2003-01-15 15:07 217088]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29 40960]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08 28672]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 02:56 143360]
"atltu.exe"="C:\WINDOWS\atltu.exe" [ ]
"crai.exe"="C:\WINDOWS\system32\crai.exe" [ ]
"msxh.exe"="C:\WINDOWS\system32\msxh.exe" [ ]
"sdkbt32.exe"="C:\WINDOWS\sdkbt32.exe" [ ]
"atlac32.exe"="C:\WINDOWS\system32\atlac32.exe" [ ]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\wsudol\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-27 11:45:07 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50 217193]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hxpnzfvt]
hxpnzfvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0027C96]
__c0027C96.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007C7F9]
__c007C7F9.dat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1124\Scripts\Logon\0\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1124\Scripts\Logon\1\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1128\Scripts\Logon\0\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1128\Scripts\Logon\1\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1143\Scripts\Logon\0\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1143\Scripts\Logon\1\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1156\Scripts\Logon\0\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1156\Scripts\Logon\1\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1162\Scripts\Logon\0\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-1162\Scripts\Logon\1\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2961639640-4054678398-3167640561-500\Scripts\Logon\0\0]
"Script"=\\kennedyjohnsonlaw.local\sysvol\kennedyjohnsonlaw.local\scripts\login.bat

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 oibtvcom;Bluetooth Virtual COM Port;C:\WINDOWS\system32\Drivers\oivmvcom.sys [2003-03-14 13:12]
R3 oivmctrl;VCOMM Device Controller;C:\WINDOWS\system32\Drivers\oivmctrl.sys [2003-01-06 20:20]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2002-08-20 14:59]
S1 wmilibb;wmilibb;C:\WINDOWS\system32\drivers\wmilibb.sys []
S2 Parclass;Parclass;C:\WINDOWS\system32\Drivers\Parclass.sys [2000-04-04 12:27]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;C:\WINDOWS\system32\DRIVERS\F5U103BD.SYS [2001-08-09 10:39]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;C:\WINDOWS\system32\DRIVERS\F5U103UD.SYS [2001-08-09 10:39]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;C:\WINDOWS\system32\DRIVERS\fa410nd5.sys [2001-08-17 07:12]
S3 ICDSX;Sony IC Recorder (SX);C:\WINDOWS\system32\Drivers\ICDSX.sys [2003-10-01 17:44]
S3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 10:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46d76010-5ee6-11dc-ad72-080046cca87a}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55faae60-c912-11dc-ade4-000e3516ee2c}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 02:59:26 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-01-03 19:06:29 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2005-01-03 19:06:29 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2005-01-03 19:06:29 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 20:59:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\qnemk.dat:ygiwo 134068 bytes executable
C:\WINDOWS\KB894391.log:gthcft 92645 bytes executable
C:\WINDOWS\_default.pif:esdkws 92645 bytes executable
C:\WINDOWS\_default.pif:patxv 134068 bytes executable
C:\WINDOWS\_default.pif:qqfyn 92645 bytes executable
C:\WINDOWS\_default.pif:suuvt 134068 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-01 21:06:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-02 02:05:41
.
2008-02-14 15:43:10 --- E O F ---

log of HijackThis follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:56, on 2008-03-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\WSUDOL\Application Data\Mozilla\Profiles\default\2foyikaj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
O4 - HKLM\..\Run: [Switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [Synchronization Manager] "C:\WINDOWS\system32\mobsync.exe" /logon
O4 - HKLM\..\Run: [atltu.exe] C:\WINDOWS\atltu.exe
O4 - HKLM\..\Run: [crai.exe] C:\WINDOWS\system32\crai.exe
O4 - HKLM\..\Run: [msxh.exe] C:\WINDOWS\system32\msxh.exe
O4 - HKLM\..\Run: [sdkbt32.exe] C:\WINDOWS\sdkbt32.exe
O4 - HKLM\..\Run: [atlac32.exe] C:\WINDOWS\system32\atlac32.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104782197783
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://ts.kjglaw.com/tsweb/msrdp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kennedyjohnsonlaw.local
O17 - HKLM\Software\..\Telephony: DomainName = kennedyjohnsonlaw.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kennedyjohnsonlaw.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kennedyjohnsonlaw.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = kennedyjohnsonlaw.local
O20 - Winlogon Notify: hxpnzfvt - hxpnzfvt.dll (file missing)
O20 - Winlogon Notify: __c0027C96 - __c0027C96.dat (file missing)
O20 - Winlogon Notify: __c007C7F9 - __c007C7F9.dat (file missing)
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\addpx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10710 bytes

Your advice would be appreciated to resolve this problem. Thank-you

BC AdBot (Login to Remove)

 


#2 Walter Sudol

Walter Sudol
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:11 PM

Posted 04 March 2008 - 03:26 PM

I have some further information regarding this problem. I checked computer again today, March 4, 2008. It appears that the constant pop-ups have stopped, although the computer is still slow surfing the internet. I noticed that the c drive still has a red x, but I am able to access the files on the c drive. I decided to look at the d drive and I have an excess number of tmp files named pos2C1, pos2C2, pos2C3, pos2C4, ... , pos498, pos499. i quickly counted the number of these files and there are over 400 and they all have the time stamp of 2008-02-27 23:53.

Walt Sudol

#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:08:11 PM

Posted 06 March 2008 - 01:15 AM

Hi and welcome,

Sorry for delay.
If you still need help and not recieving help elsewhere, please post a fresh hijackthis log here.

thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users