Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/virus Infected In Svchost.exe


  • Please log in to reply
9 replies to this topic

#1 G-Hots

G-Hots

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:12:39 PM

Posted 19 April 2008 - 12:19 AM

Hi everyone. I got this virus at least a year ago and it has been a pain in the ass for me. what it basically does is it triggers the virus inside the svchost.exe and uses 100% of my 1GB ram from time to time randomly.
i make music on my computer and I really need my ram or else I cant do anything on this computer.

any help will be appreciated

thanks again guys

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:57 AM, on 4/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: Shell=explorer.exe activexdebugger32.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: IECatcher Class - {0682E46A-7040-4049-A6FD-0BCFBC673AD8} - C:\Program Files\FlashDownloader\IntQd.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download by FlashDownloader - C:\Program Files\FlashDownloader\IntQd.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11721 bytes



BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:39 PM

Posted 19 April 2008 - 04:41 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=explorer.exe activexdebugger32.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Windows\System32\activexdebugger32.exe
C:\Windows\System32\KTKBDHK3.DLL


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by D-Trojanator, 19 April 2008 - 04:42 AM.


#3 G-Hots

G-Hots
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:12:39 PM

Posted 20 April 2008 - 01:08 AM

Hi David. thanks for your help. i followed all the directions and here are the logs.
thank you very much.

Combofix

ComboFix 08-04-18.3 - cihan 2008-04-19 20:12:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.568 [GMT -4:00]
Running from: C:\Documents and Settings\cihan\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\cihan\Application Data\FNTS~1
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\asks~1
C:\WINDOWS\pf78.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\atmtd.dll.tmp
C:\WINDOWS\system32\bang-006.ico
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\lsprst7.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\ssprs.dll
C:\WINDOWS\system32\vsl05.exe
C:\WINDOWS\system32\wapisvsu.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninst2.htm
C:\WINDOWS\unist1.htm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_POWERMANAGER
-------\Service_cmdService
-------\Service_PowerManager


((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-19 19:53 . 2008-04-19 19:56 <DIR> d-------- C:\!KillBox
2008-04-18 06:07 . 2008-04-18 06:07 <DIR> d-------- C:\3b58fdde9c9afff56d257487
2008-04-18 06:06 . 2008-04-18 06:06 <DIR> d-------- C:\1bbe8ae19eefb2527da51940
2008-04-13 13:08 . 2008-04-13 13:08 <DIR> d-------- C:\Program Files\FM Modifier 2.2
2008-04-10 16:26 . 2008-04-10 16:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-10 10:44 . 2008-04-10 10:44 <DIR> d-------- C:\Program Files\Antares Auto-Tune DX
2008-04-09 19:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-09 19:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-09 19:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-08 21:48 . 2008-04-08 21:49 <DIR> d-------- C:\Program Files\Windows Live
2008-04-08 21:48 . 2008-04-08 21:49 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-08 21:48 . 2008-04-08 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-05 01:13 . 2008-04-05 01:13 <DIR> d-------- C:\Start Menu
2008-04-04 15:01 . 2008-04-04 15:01 <DIR> d-------- C:\Documents and Settings\cihan\Application Data\Thinstall
2008-03-30 03:33 . 2008-04-15 15:48 <DIR> d-------- C:\Documents and Settings\cihan\Application Data\Audacity
2008-03-26 14:29 . 2008-03-26 14:29 <DIR> d-------- C:\Program Files\TCWorks
2008-03-26 14:25 . 2001-04-16 09:16 951,284 --a------ C:\WINDOWS\system32\drivers\vsc.sys
2008-03-26 14:25 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-03-26 14:25 . 2000-09-12 09:33 204,800 --a------ C:\WINDOWS\system32\vsc32cnf.cpl
2008-03-26 14:25 . 2001-03-13 11:15 118,876 --a------ C:\WINDOWS\system32\vscapi.dll
2008-03-26 14:25 . 2008-03-26 14:25 260 --a------ C:\WINDOWS\_delis32.ini
2008-03-26 14:25 . 2008-03-26 14:25 41 --a------ C:\WINDOWS\wininit.ini
2008-03-26 14:18 . 2008-03-26 14:25 <DIR> d-------- C:\Program Files\Roland
2008-03-26 14:16 . 2008-03-26 14:16 <DIR> d-------- C:\Program Files\KORG
2008-03-26 14:16 . 2008-03-26 14:16 <DIR> d-------- C:\Program Files\Common Files\KORG
2008-03-26 14:15 . 2008-03-26 14:15 <DIR> d-------- C:\Program Files\iZotope
2008-03-26 14:15 . 2008-03-26 14:15 <DIR> d-------- C:\Program Files\Common Files\iZotope
2008-03-26 14:08 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-03-26 13:56 . 2003-08-27 17:54 258,049 --a------ C:\WINDOWS\LOOP.exe
2008-03-26 13:17 . 2008-03-26 13:17 1,025 --a------ C:\WINDOWS\system32\sysprs7.tgz
2008-03-26 13:17 . 2008-03-26 13:17 1,025 --a------ C:\WINDOWS\system32\sysprs7.dll
2008-03-26 13:17 . 2008-03-26 13:17 1,025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-03-26 13:17 . 2008-03-26 13:17 1,025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-03-26 13:17 . 2008-04-11 00:23 219 --a------ C:\WINDOWS\system32\lsprst7.tgz
2008-03-26 13:17 . 2008-04-11 00:23 87 --a------ C:\WINDOWS\system32\ssprs.tgz
2008-03-26 00:22 . 2008-03-26 00:27 <DIR> d--h----- C:\Program Files\Zero G Registry
2008-03-26 00:21 . 2008-03-26 00:21 <DIR> d--h----- C:\Documents and Settings\cihan\InstallAnywhere
2008-03-25 23:39 . 2008-03-25 23:39 <DIR> d-------- C:\WINDOWS\usb-audio.deTascam
2008-03-25 23:39 . 2007-02-01 15:38 106,496 --------- C:\WINDOWS\system32\US-122L_US-144.CPL
2008-03-25 23:37 . 2007-02-01 15:38 406,784 --a------ C:\WINDOWS\system32\drivers\tascusb2.sys
2008-03-25 23:37 . 2007-02-01 15:38 19,904 --a------ C:\WINDOWS\system32\drivers\tscusb2a.sys
2008-03-25 23:37 . 2007-02-01 15:38 10,912 --a------ C:\WINDOWS\system32\drivers\tscusb2m.sys
2008-03-25 23:35 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-25 23:35 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-25 21:33 . 2008-03-25 21:33 <DIR> d-------- C:\Program Files\D-Tools
2008-03-25 21:33 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-03-25 21:33 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-03-25 20:54 . 2008-03-25 20:54 <DIR> d-------- C:\Program Files\DNA
2008-03-25 20:54 . 2008-03-25 20:54 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-25 20:54 . 2008-03-25 20:54 <DIR> d-------- C:\Program Files\Audacity 1.3 Beta
2008-03-25 20:54 . 2008-04-19 20:27 <DIR> d-------- C:\Documents and Settings\cihan\Application Data\DNA
2008-03-25 19:05 . 2008-04-09 10:14 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-03-25 18:22 . 2007-07-09 09:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 10:09 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-04-05 05:04 --------- d-----w C:\Program Files\Vstplugins
2008-04-03 05:39 --------- d-----w C:\Documents and Settings\cihan\Application Data\BitTorrent
2008-03-31 15:19 --------- d-----w C:\Program Files\Sony
2008-03-26 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-26 04:22 --------- d-----w C:\Program Files\Sports Interactive
2008-03-26 01:32 611,064 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-26 01:19 --------- d-----w C:\Program Files\ESET
2008-03-25 23:54 --------- d-----w C:\Program Files\Valve
2008-03-25 23:17 --------- d-----w C:\Program Files\Microsoft Works
2008-03-25 23:09 --------- d-----w C:\Program Files\DivX
2008-03-25 23:06 --------- d-----w C:\Program Files\Ares
2008-03-25 23:02 --------- d-----w C:\Documents and Settings\cihan\Application Data\Aim
2008-03-25 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-07-27 04:15 0 ----a-w C:\Documents and Settings\cihan\Application Data\wklnhst.dat
2006-10-06 03:17 57,064 ----a-w C:\Documents and Settings\cihan\Application Data\GDIPFONTCACHEV1.DAT
2006-09-12 05:03 24,192 ----a-w C:\Documents and Settings\cihan\usbsermptxp.sys
2006-09-12 05:03 22,768 ----a-w C:\Documents and Settings\cihan\usbsermpt.sys
2006-08-05 17:32 0 ----a-w C:\Documents and Settings\cihan\Application Data\internaldb41.dat
1999-12-07 15:35 432,912 ----a-w C:\Documents and Settings\cihan\iis2.dll
2005-07-29 20:24 472 --sha-r C:\WINDOWS\ZGVyeWEgaw\t3pVyqH0uT.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0682E46A-7040-4049-A6FD-0BCFBC673AD8}]
2004-09-23 08:14 36864 --a------ C:\Program Files\FlashDownloader\IntQd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 13:57 94208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 13:23 68856]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 12:49 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-02-17 18:31 5406720]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 20:21 114688]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08 28672]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2005-01-14 20:18 184320]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 18:12 32768]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 17:43 186880]
"Mouse Suite 98 Daemon"="ICO.EXE" []
"VZRemoteCommander"="C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 14:10 192512]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"InvisibleBrowsing"="" []
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" [2004-03-04 04:00 98304]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14 270648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-07-27 00:59 921600]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 13:36 14854144 C:\WINDOWS\RTHDCPL.EXE]
"vsc32cnf.exe"="C:\Program Files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 03:02 36864]
"vscvol.exe"="C:\Program Files\Roland\VSC32\vscvol.exe" [2000-02-08 23:19 36864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2005-07-19 21:20 186880]
"kcunh"="C:\WINDOWS\system32\onjuge.exe" [ ]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-23 18:22:33 113664]
Icatch(VI) SnapDetect.lnk - C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe [2005-10-12 13:12:56 65536]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Documents and Settings\\cihan\\ext\\GAME.EXE"=
"C:\\Program Files\\FileZilla\\FileZilla.exe"=
"C:\\Program Files\\Valve\\hlds.exe"=
"C:\\Program Files\\Valve\\hltv.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Invisible Browsing\\InvisibleBrowsing.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\BocekYazilim\\OkeyNet+\\OkeyNet.exe"=
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\kdx\\KHost.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Documents and Settings\\cihan\\Application Data\\Thinstall\\LimeWire PRO 4.17.3\\4000002500002i\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-17 21:26]
R2 RVIEGVST;VSC VST Engine;C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [2001-04-13 19:18]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 TASCAM_US122144;TASCAM USB 2.0 Audio Device driver;C:\WINDOWS\system32\Drivers\tascusb2.sys [2007-02-01 15:38]
R3 TASCAM_US144_MIDI;TASCAM US-144 WDM MIDI Device;C:\WINDOWS\system32\drivers\tscusb2m.sys [2007-02-01 15:38]
R3 TASCAM_US144_WDM;TASCAM US-144 WDM;C:\WINDOWS\system32\drivers\tscusb2a.sys [2007-02-01 15:38]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\DRIVERS\vsc.sys [2001-04-16 09:16]
S3 jatmlano;jatmlano;C:\DOCUME~1\cihan\LOCALS~1\Temp\jatmlano.sys []
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-17 21:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{70fea2cc-612e-11db-9624-00014a5d3d7a}]
\Shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e41b18-5c5a-11da-9524-000b23982ad3}]
\Shell\AutoRun\command - J:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e41b19-5c5a-11da-9524-000b23982ad3}]
\Shell\AutoRun\command - K:\RunGame.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0e04e3a-3413-11dc-9759-0012f048d355}]
\Shell\Auto\command - G:\activexdebugger32.exe f
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL activexdebugger32.exe f
\Shell\explore\Command - G:\activexdebugger32.exe f
\Shell\open\Command - G:\activexdebugger32.exe f

.
Contents of the 'Scheduled Tasks' folder
"2008-04-13 14:02:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-20 00:40:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{1405E5E7-C5DF-46CF-8A71-CFF20894A962}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-19 20:30:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [2080] 0x85C22620

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 5

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Program Files\Eset\pr_imon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-19 20:43:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 00:43:52

Pre-Run: 7,630,962,688 bytes free
Post-Run: 9,789,992,960 bytes free

250 --- E O F --- 2008-04-13 00:40:56




Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:38 AM, on 4/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IECatcher Class - {0682E46A-7040-4049-A6FD-0BCFBC673AD8} - C:\Program Files\FlashDownloader\IntQd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download by FlashDownloader - C:\Program Files\FlashDownloader\IntQd.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11337 bytes



#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:39 PM

Posted 20 April 2008 - 07:08 AM

Good work, let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\_delis32.ini
C:\WINDOWS\LOOP.exe
C:\WINDOWS\ZGVyeWEgaw <--folder
G:\activexdebugger32.exe

Reboot back into normal mode.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"=-
"InvisibleBrowsing"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"kcunh"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0e04e3a-3413-11dc-9759-0012f048d355}]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Open notepad and copy and paste the following text in the quote box into the window:

@echo off
sc stop jatmlano
sc delete jatmlano

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.

Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

Edited by D-Trojanator, 20 April 2008 - 07:08 AM.


#5 G-Hots

G-Hots
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:12:39 PM

Posted 20 April 2008 - 10:08 PM

alright brother. i went through every step. and here is the log from gmer.

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-20 23:06:19
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF73D6818]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF73D67D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF73CAA20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF73CB2A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF73D6910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF73D6794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF73CB2C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF73D6866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF73D60B0]
SSDT sptd.sys ZwSetValueKey [0xF740D226]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F632662C 5 Bytes JMP 86CF9970
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F5F3B4D0 16 Bytes [ E1, 1E, 0D, FB, F0, 01, 72, ... ]
.text vaxscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F5F3B4E1 31 Bytes [ A0, F3, F5, B4, 59, 7D, 85, ... ]
? C:\WINDOWS\System32\Drivers\vaxscsi.sys The process cannot access the file because it is being used by another process.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[3188] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F742D7AE] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FD21D8

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )

Device \FileSystem\Udfs \UdfsCdRom 86D7A668
Device \FileSystem\Udfs \UdfsCdRom 86E9C0C0
Device \FileSystem\Udfs \UdfsDisk 86D7A668
Device \FileSystem\Udfs \UdfsDisk 86E9C0C0
Device \Driver\tifmsony \Device\0000008f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\tifmsony \Device\TIFMDEVICE-0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\usbuhci \Device\USBPDO-0 86CED990
Device \Driver\usbuhci \Device\USBPDO-1 86CED990
Device \Driver\usbuhci \Device\USBPDO-2 86CED990
Device \Driver\usbuhci \Device\USBPDO-3 86CED990
Device \Driver\usbehci \Device\USBPDO-4 86D471D8
Device \Driver\00000039 \Device\00000055 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD41D8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD41D8
Device \FileSystem\Rdbss \Device\FsWrap 86984380
Device \Driver\atapi \Device\Ide\IdePort0 86B8E918
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 86B8E918
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 86B8E918
Device \Driver\NetBT \Device\NetBT_Tcpip_{3F07B028-5757-4B55-82E4-00C47143C44F} 86B86990
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B86990
Device \Driver\NetBT \Device\NetbiosSmb 86B86990
Device \Driver\NetBT \Device\NetBT_Tcpip_{0D73483A-53BA-4209-B3AC-9A16F53CFC99} 86B86990
Device \FileSystem\Srv \Device\LanmanServer 86BF6FB0
Device \Driver\usbuhci \Device\USBFDO-0 86CED990
Device \Driver\usbuhci \Device\USBFDO-1 86CED990
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 861571D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B98B70
Device \Driver\usbuhci \Device\USBFDO-2 86CED990
Device \FileSystem\MRxSmb \Device\LanmanRedirector 861571D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86B98B70
Device \Driver\usbuhci \Device\USBFDO-3 86CED990
Device \FileSystem\Npfs \Device\NamedPipe 86B7EFB0
Device \Driver\usbehci \Device\USBFDO-4 86D471D8
Device \Driver\Ftdisk \Device\FtControl 86FD41D8
Device \FileSystem\Msfs \Device\Mailslot 86960FB0
Device \Driver\vaxscsi \Device\Scsi\vaxscsi1 86BD1990
Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 86B97008
Device \Driver\d347prt \Device\Scsi\d347prt1 86B97008
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 86BD8160
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 86BD8160
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 86BD8160
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 86BD8160
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 86BD8160
Device \FileSystem\Cdfs \Cdfs 86C33990
Device \FileSystem\Cdfs \Cdfs 85DA58A0

---- Modules - GMER 1.0.14 ----

Module _________ F7335000-F734D000 (98304 bytes)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z0 0xAD 0xAD 0x64 0x90 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z1 0x8C 0xAE 0x64 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z2 0x7E 0xAB 0x64 0x8F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z3 0x3B 0xA0 0x64 0x12 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z4 0x27 0xBC 0x64 0x96 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z5 0xF9 0xBF 0x64 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z6 0x84 0xBB 0x64 0x38 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z7 0x0F 0xB7 0x64 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z8 0x50 0xB2 0x64 0xC9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z9 0x99 0x8D 0x64 0x1C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z10 0xBA 0x88 0x64 0xC2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z11 0xBC 0x8B 0x64 0x4F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z12 0xAC 0x86 0x64 0xD6 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z13 0x8B 0x81 0x64 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z14 0x43 0x9C 0x64 0xE8 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z15 0x0A 0x9F 0x64 0x1F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z16 0xAD 0x99 0x64 0x34 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z17 0x4A 0x94 0x64 0x43 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z18 0xC0 0x96 0x64 0x2B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z19 0x4C 0x91 0x64 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z20 0xBD 0x93 0x64 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z21 0x11 0xEE 0x64 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z22 0x7F 0xE8 0x64 0x08 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z23 0xC9 0xEA 0x64 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@hj34z24 0x02 0xE5 0x64 0x4D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 975744909
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1789907172
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0x01 0x0C 0x70 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x3D 0xD5 0x1B 0xF9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x84 0x8D 0xB9 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xAE 0x40 0x71 0xCF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0x01 0x0C 0x70 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x3D 0xD5 0x1B 0xF9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x84 0x8D 0xB9 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0xAE 0x40 0x71 0xCF ...

---- EOF - GMER 1.0.14 ----



#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:39 PM

Posted 21 April 2008 - 01:33 PM

Good work, the GMER log is looking clean so we've got no rootkits installed... :thumbsup:

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#7 G-Hots

G-Hots
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:12:39 PM

Posted 23 April 2008 - 01:20 PM

sorry for the late reply David. i've been having problems with my modem. i couldnt get back at you soon enough.
here is the kaspersky av log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 6:01:24 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 722306
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 269941
Number of viruses found: 15
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 04:56:35

Infected Object Name / Virus Name / Last Action
C:\!KillBox\KTKBDHK3.DLL Infected: not-a-virus:Monitor.Win32.KeyLogger.o skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\VzCdb_Mgr.ldf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\VzCdb_Mgr.mdf Object is locked skipped
C:\Documents and Settings\cihan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\cihan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cihan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cihan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cihan\Local Settings\Temp\SQL.LOG Object is locked skipped
C:\Documents and Settings\cihan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cihan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\cihan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_7bc.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-04-22.20-59-35.log Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\MKAUEUDA.NQF/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Program Files\ESET\infected\MKAUEUDA.NQF/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\Program Files\ESET\infected\MKAUEUDA.NQF/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Program Files\ESET\infected\MKAUEUDA.NQF/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\Program Files\ESET\infected\MKAUEUDA.NQF NSIS: infected - 4 skipped
C:\Program Files\ESET\infected\MKAUEUDA.NQF PE-Crypt.XorPE: infected - 4 skipped
C:\Program Files\ESET\infected\PCCUBWBA.NQF/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Program Files\ESET\infected\PCCUBWBA.NQF/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Program Files\ESET\infected\PCCUBWBA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\PCCUBWBA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\R2USAKBA.NQF/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Program Files\ESET\infected\R2USAKBA.NQF/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Program Files\ESET\infected\R2USAKBA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\R2USAKBA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\VTPWGECA.NQF Infected: Virus.Win32.Hidrag.a skipped
C:\Program Files\ESET\infected\WHK30FAA.NQF/data.rar/crack.exe Infected: Packed.Win32.Monder.gen skipped
C:\Program Files\ESET\infected\WHK30FAA.NQF/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.ury skipped
C:\Program Files\ESET\infected\WHK30FAA.NQF/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.tnt skipped
C:\Program Files\ESET\infected\WHK30FAA.NQF/data.rar Infected: Trojan-Downloader.Win32.Small.tnt skipped
C:\Program Files\ESET\infected\WHK30FAA.NQF RarSFX: infected - 4 skipped
C:\Program Files\ESET\infected\WHK30FAA.NQF PE-Crypt.XorPE: infected - 4 skipped
C:\Program Files\ESET\infected\WO4G2ZBA.NQF/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\Program Files\ESET\infected\WO4G2ZBA.NQF NSIS: infected - 1 skipped
C:\Program Files\ESET\infected\WO4G2ZBA.NQF PE-Crypt.XorPE: infected - 1 skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_804.trc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP655\A0249296.DLL Infected: not-a-virus:Monitor.Win32.KeyLogger.o skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249316.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249316.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249316.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249316.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249316.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249317.exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249317.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249317.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0249318.exe Object is locked skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0250421.exe/file01 Infected: not-a-virus:Monitor.Win32.GoldenEye.401 skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0250421.exe/file23 Infected: Trojan.Win32.Hooker.j skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0250421.exe/file24 Infected: Trojan-Spy.Win32.SpyAnyTime.a skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP656\A0250421.exe Inno: infected - 3 skipped
C:\System Volume Information\_restore{44A4B43F-BF79-4C22-8F5F-38D07C8D6912}\RP657\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\srvdvzbzpa.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ep skipped
C:\WINDOWS\srvdvzbzpa.exe NSIS: infected - 1 skipped
C:\WINDOWS\srvwbcqnnp.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\srvwbcqnnp.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\srvwbcqnnp.exe NSIS: infected - 2 skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\KMON.OCX Infected: not-a-virus:Monitor.Win32.KeyLogger.o skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET2CC8.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7fc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


and here is the new hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:02 PM, on 4/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\cihan\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IECatcher Class - {0682E46A-7040-4049-A6FD-0BCFBC673AD8} - C:\Program Files\FlashDownloader\IntQd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download by FlashDownloader - C:\Program Files\FlashDownloader\IntQd.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://filelodge.bolt.com/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11489 bytes


thank you

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:39 PM

Posted 23 April 2008 - 04:07 PM

Good work, we're on the finishing straight now.. :thumbsup:

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\srvdvzbzpa.exe
C:\WINDOWS\srvwbcqnnp.exe
C:\WINDOWS\system32\KMON.OCX


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please then delete this folder:
C:\!KillBox

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now!

#9 G-Hots

G-Hots
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:12:39 PM

Posted 23 April 2008 - 05:54 PM

David, you my friend is a genius. :thumbsup: :blink: With the help of you I can use my computer without struggling. :wacko:
Your help saved me a lot of money from buying a new computer. So I'll be very happy if you will accept the gift I sent you on Paypal. Thank you very much again.

And if you ever need a website or a webspace. Just e-mail me at abiniz1@gmail.com and I will be happy to help you my friend.
Thanks a lot.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:39 PM

Posted 25 April 2008 - 05:06 AM

Glad I could help! :thumbsup:
Thanks very much for the kind donation..

The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. This link has listings of stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users