Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

e-mail virus?


  • This topic is locked This topic is locked
15 replies to this topic

#1 a12th99

a12th99

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 29 December 2008 - 05:20 PM

Hi,

Here's a copy of my initial post:
QUOTE
I hope you can help.
My system is a Sony desktop with Windows XP, IE7 & Thunderbird version 2.0.0.18.
Problem:
I receive much e-mail which seems to come from myself. It is from variations of myname@mydomainname. I also get notices that mail--which I have not sent--has been undelivered.
When I run an AVG scan, several entries appear as "Locked file. Not tested." or "Password protected. Potentially dangerous." or "Contains macros. Potentially dangerous."
UNQUOTE

I've been referred here by "rigel" who has been helping me at this link on the Am I infected? What do I do? forum:
http://www.bleepingcomputer.com/forums/ind...p;#entry1059090
Thank you,
a12th99



DDS (Version 1.1.0) - NTFSx86
Run by alvin at 21:54:36.46 on 29/12/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.493 [GMT 0:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: AVG Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Orange\Internet Orange Synchronisation\Voxsync.exe
C:\Orange\Orangeconnectionkit\atdialler1.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Sony\Internet Explorer Remote Control Extension\tfphrase.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Sony\Click to DVD 2\ctdatsvr.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\alvin\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Wanadoo
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RemoconExt Class: {1094df41-c1e3-4957-b20d-585d0fa7683d} - c:\program files\sony\internet explorer remote control extension\tfassist.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a6fb-f862b587b57d} - c:\progra~1\orange4\orange4.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.615.5858\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Liquid Surf for VAIO TV Entertainment: {ec5bb10a-fda1-41d6-8ce4-c00c1e5dc464} - c:\program files\portrait displays\liquid surf for vaio tv entertainment\sybil.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Orange: {4e7bd74f-2b8d-469e-a6fb-f862b587b57d} - c:\progra~1\orange4\orange4.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Launcher] c:\program files\wanadoo\setup\Check.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [PDService.exe] c:\program files\utimaco\safeguard privatedisk\pdservice.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SDTray] "c:\program files\spyware doctor\SDTrayApp.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LWBMOUSE] c:\program files\tech\wheel mouse\5.3\MOUSE32A.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\clickt~1.lnk - c:\program files\sony\click to dvd 2\ctdatsvr.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intern~1.lnk - c:\program files\sony\internet explorer remote control extension\tfcmd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intern~2.lnk - c:\program files\orange\internet orange synchronisation\Voxsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orange~1.lnk - c:\orange\orangeconnectionkit\atdialler1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe
IE: Add RSS Support Site to VAIO Information FLOW - c:\program files\sony\vaio information flow\aiesc.html
IE: E&xport to Microsoft Excel
IE: orange search - file://c:\program files\orange4\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e51cb8e2-7679-4277-b8fc-7e4e857abfd0} - {1094DF41-C1E3-4957-B20D-585D0FA7683D} - c:\program files\sony\internet explorer remote control extension\tfassist.dll
Trusted Zone: adobe.com\eurostore
Trusted Zone: adobe.com\istore
Trusted Zone: club-vaio.com\www
Trusted Zone: hotmail.com\www
Trusted Zone: moodlogic.com\www
Trusted Zone: sony-europe.com
Trusted Zone: sony-europe.com\www.club-vaio
Trusted Zone: sony-europe.com\www.vaio
Trusted Zone: sonystyle-europe.com
Trusted Zone: sonystyle-europe.com\shop
Trusted Zone: sonystyle-europe.com\www
Trusted Zone: symantecstore.com\www
Trusted Zone: tvtv.co.uk\www
Trusted Zone: tvtv.de\www
Trusted Zone: tvtv.es\www
Trusted Zone: tvtv.fr\www
Trusted Zone: tvtv.it\www
Trusted Zone: tvtv.nl\www
Trusted Zone: utimaco.com\www
Trusted Zone: vaio-link.com
Trusted Zone: yahoo.com\*.personals
Trusted Zone: yahoo.com\*.rd
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-23 12552]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-8-17 40264]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-23 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-8-17 57672]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-8-17 82248]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\PrivateDiskM.sys [2004-7-6 45627]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-7-7 611664]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-23 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-23 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2008-12-23 1339600]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB []
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-8-17 729416]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe [2007-8-17 1407816]
R3 AVerA16B;AVerA16B service;c:\windows\system32\drivers\AVerA16B.sys [2005-12-19 837888]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\google\google desktop search\GoogleDesktop.exe" [2008-12-27 29744]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB []
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-10-2 15576]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys []

=============== Created Last 30 ================

2008-12-28 02:24 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-25 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-25 23:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-25 23:56 <DIR> --d----- c:\docume~1\alvin\applic~1\SUPERAntiSpyware.com
2008-12-24 21:20 <DIR> --d----- C:\fsaua.data
2008-12-23 04:53 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-23 04:53 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-23 04:53 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-23 04:53 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-23 04:53 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-23 04:53 <DIR> --d----- c:\docume~1\alvin\applic~1\AVGTOOLBAR
2008-12-23 04:52 50,968 a------- c:\windows\system32\avgfwdx.dll
2008-12-23 04:52 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2008-12-23 03:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-23 03:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 03:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2008-12-29 04:44 5,058 a------- c:\windows\help\hhcolreg.dat
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2007-03-11 18:09 3,094 a------- c:\docume~1\alvin\applic~1\wklnhst.dat
2006-10-14 19:44 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-10 02:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061020080611\index.dat

============= FINISH: 21:55:47.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:46 PM

Posted 09 January 2009 - 06:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system.
Please Hold on it may take us a day or so to get back with you.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 09 January 2009 - 09:41 PM

Hi KoanYorel,

Thank you for your helpful reply. Here are the logs:


DDS (Ver_09-01-07.01) - NTFSx86
Run by alvin at 1:36:14.06 on 10/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.359 [GMT 0:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Sony\Internet Explorer Remote Control Extension\tfphrase.exe
C:\Program Files\Orange\Internet Orange Synchronisation\Voxsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Orange\Orangeconnectionkit\atdialler1.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Sony\Click to DVD 2\ctdatsvr.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\system32\Adobe\Director\SwDnld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\alvin\Desktop\dds.com
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.orange.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Wanadoo
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RemoconExt Class: {1094df41-c1e3-4957-b20d-585d0fa7683d} - c:\program files\sony\internet explorer remote control extension\tfassist.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Orange: {4e7bd74f-2b8d-469e-a6fb-f862b587b57d} - c:\progra~1\orange4\orange4.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.615.5858\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Liquid Surf for VAIO TV Entertainment: {ec5bb10a-fda1-41d6-8ce4-c00c1e5dc464} - c:\program files\portrait displays\liquid surf for vaio tv entertainment\sybil.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Orange: {4e7bd74f-2b8d-469e-a6fb-f862b587b57d} - c:\progra~1\orange4\orange4.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [Launcher] c:\program files\wanadoo\setup\Check.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [PDService.exe] c:\program files\utimaco\safeguard privatedisk\pdservice.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SDTray] "c:\program files\spyware doctor\SDTrayApp.exe"
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [LWBMOUSE] c:\program files\tech\wheel mouse\5.3\MOUSE32A.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\clickt~1.lnk - c:\program files\sony\click to dvd 2\ctdatsvr.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\Client.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alvin\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intern~1.lnk - c:\program files\sony\internet explorer remote control extension\tfcmd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\intern~2.lnk - c:\program files\orange\internet orange synchronisation\Voxsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orange~1.lnk - c:\orange\orangeconnectionkit\atdialler1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vaioac~1.lnk - c:\program files\sony\vaio action setup\VAServ.exe
IE: Add RSS Support Site to VAIO Information FLOW - c:\program files\sony\vaio information flow\aiesc.html
IE: E&xport to Microsoft Excel
IE: orange search - file://c:\program files\orange4\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e51cb8e2-7679-4277-b8fc-7e4e857abfd0} - {1094DF41-C1E3-4957-B20D-585D0FA7683D} - c:\program files\sony\internet explorer remote control extension\tfassist.dll
Trusted Zone: adobe.com\eurostore
Trusted Zone: adobe.com\istore
Trusted Zone: club-vaio.com\www
Trusted Zone: hotmail.com\www
Trusted Zone: moodlogic.com\www
Trusted Zone: sony-europe.com
Trusted Zone: sony-europe.com\www.club-vaio
Trusted Zone: sony-europe.com\www.vaio
Trusted Zone: sonystyle-europe.com
Trusted Zone: sonystyle-europe.com\shop
Trusted Zone: sonystyle-europe.com\www
Trusted Zone: symantecstore.com\www
Trusted Zone: tvtv.co.uk\www
Trusted Zone: tvtv.de\www
Trusted Zone: tvtv.es\www
Trusted Zone: tvtv.fr\www
Trusted Zone: tvtv.it\www
Trusted Zone: tvtv.nl\www
Trusted Zone: utimaco.com\www
Trusted Zone: vaio-link.com
Trusted Zone: yahoo.com\*.personals
Trusted Zone: yahoo.com\*.rd
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-23 12552]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-8-17 40264]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 324872]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-23 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-8-17 57672]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-8-17 82248]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-7-6 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R3 AVerA16B;AVerA16B service;c:\windows\system32\drivers\AVerA16B.sys [2005-12-19 837888]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-23 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-23 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2008-12-23 1339600]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\svcntaux.exe [2007-8-17 729416]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\swdsvc.exe [2007-8-17 1407816]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-27 29744]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-10-2 15576]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]

=============== Created Last 30 ================

2008-12-28 02:24 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-25 23:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-25 23:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-25 23:56 <DIR> --d----- c:\docume~1\alvin\applic~1\SUPERAntiSpyware.com
2008-12-24 21:20 <DIR> --d----- C:\fsaua.data
2008-12-23 04:53 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2008-12-23 04:53 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-23 04:53 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-23 04:53 324,872 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-23 04:53 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-23 04:53 <DIR> --d----- c:\docume~1\alvin\applic~1\AVGTOOLBAR
2008-12-23 04:52 50,968 a------- c:\windows\system32\avgfwdx.dll
2008-12-23 04:52 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2008-12-23 03:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-23 03:41 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 03:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2008-12-29 04:44 5,058 a------- c:\windows\help\hhcolreg.dat
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-03-11 18:09 3,094 a------- c:\docume~1\alvin\applic~1\wklnhst.dat
2006-10-14 19:44 774,144 a------- c:\program files\RngInterstitial.dll
2008-06-10 02:32 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061020080611\index.dat

============= FINISH: 1:37:17.33 ===============

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:46 PM

Posted 11 January 2009 - 10:21 PM

Hello, a12th99
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 12 January 2009 - 07:23 AM

Hi Billy,

Thanks for your clear instructions.
  • When I closed IE after downloading but before running ComboFix.exe I got the attached box. The numbers changed each time I clicked on it & eventually it disappeared. Is this significant?
  • In addition to AVG Internet Security, I am running Spybot & Spyware Doctor. I also have Spyware Blaster de-activated. Should I update and activate Spyware Blaster to run alongside the other three?
Thanks again. Here is the log:

ComboFix 09-01-11.02 - alvin 2009-01-12 11:23:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.309 [GMT 0:00]
Running from: c:\documents and settings\alvin\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_005117_.tmp.dll
c:\windows\system32\_005118_.tmp.dll
c:\windows\system32\_005119_.tmp.dll
c:\windows\system32\_005120_.tmp.dll
c:\windows\system32\_005131_.tmp.dll
c:\windows\system32\_005133_.tmp.dll
c:\windows\system32\_005134_.tmp.dll
c:\windows\system32\_005136_.tmp.dll
c:\windows\system32\_005137_.tmp.dll
c:\windows\system32\_005140_.tmp.dll
c:\windows\system32\_005141_.tmp.dll
c:\windows\system32\_005143_.tmp.dll
c:\windows\system32\_005144_.tmp.dll
c:\windows\system32\_005145_.tmp.dll
c:\windows\system32\_005146_.tmp.dll
c:\windows\system32\_005147_.tmp.dll
c:\windows\system32\_005150_.tmp.dll
c:\windows\system32\_005151_.tmp.dll
c:\windows\system32\_005155_.tmp.dll
c:\windows\system32\_005156_.tmp.dll
c:\windows\system32\_005158_.tmp.dll
c:\windows\system32\_005161_.tmp.dll
c:\windows\system32\_005163_.tmp.dll
c:\windows\system32\_005165_.tmp.dll
c:\windows\system32\_005166_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_005170_.tmp.dll
c:\windows\system32\_005171_.tmp.dll
c:\windows\system32\_005172_.tmp.dll
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005179_.tmp.dll
c:\windows\system32\_005181_.tmp.dll
c:\windows\system32\_005182_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2008-12-28 02:24 . 2008-12-28 02:24 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-25 23:56 . 2008-12-25 23:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 23:56 . 2008-12-25 23:56 <DIR> d-------- c:\documents and settings\alvin\Application Data\SUPERAntiSpyware.com
2008-12-25 23:56 . 2008-12-25 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-24 21:20 . 2008-12-24 21:20 <DIR> d-------- C:\fsaua.data
2008-12-23 04:53 . 2009-01-12 11:29 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-23 04:53 . 2008-12-24 01:39 <DIR> d-------- c:\documents and settings\alvin\Application Data\AVGTOOLBAR
2008-12-23 04:53 . 2008-12-23 04:53 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-23 04:53 . 2008-12-23 04:53 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-23 04:53 . 2008-12-23 04:53 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-23 04:53 . 2008-12-23 04:53 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-23 04:52 . 2008-12-23 04:52 50,968 --a------ c:\windows\system32\avgfwdx.dll
2008-12-23 04:52 . 2008-12-23 04:52 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2008-12-23 03:41 . 2008-12-23 03:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 03:41 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 03:41 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 11:30 --------- d-----w c:\documents and settings\alvin\Application Data\OpenOffice.org2
2009-01-12 11:21 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-12 10:24 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-12 03:33 --------- d-----w c:\documents and settings\alvin\Application Data\Simple Sudoku
2009-01-11 18:45 --------- d-----w c:\program files\DigiGuide TV Guide
2008-12-28 02:24 --------- d-----w c:\program files\Java
2008-12-27 17:45 --------- d-----w c:\program files\Google
2008-12-25 23:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-17 16:26 --------- d-----w c:\program files\Zinio
2008-12-17 16:26 --------- d-----w c:\program files\Common Files\Zinio
2008-12-16 20:23 --------- d-----w c:\documents and settings\alvin\Application Data\ContentGuard
2008-11-28 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-28 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\Channel4
2007-03-11 18:09 3,094 ----a-w c:\documents and settings\alvin\Application Data\wklnhst.dat
2006-10-14 19:44 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-06-10 02:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061020080611\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files\Wanadoo\Setup\Check.exe" [2005-07-19 126427]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-10 61440]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2006-10-23 40048]
"SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 1063752]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-17 185896]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE" [2002-05-24 357376]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-23 1601304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-28 29744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\alvin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-09 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-10 738968]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-10 61440]
Audio Filter.lnk - c:\program files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2005-12-21 5649408]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
Internet Explorer Remote Control Extension.lnk - c:\program files\Sony\Internet Explorer Remote Control Extension\tfcmd.exe [2005-12-20 81920]
Internet Orange Synchronisation.lnk - c:\program files\Orange\Internet Orange Synchronisation\Voxsync.exe [2007-11-03 622592]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]
Orange Connection Kit.lnk - c:\orange\Orangeconnectionkit\atdialler1.exe [2006-09-10 364544]
VAIO Action Setup (Server).lnk - c:\program files\Sony\VAIO Action Setup\VAServ.exe [2005-12-20 98304]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-23 04:53 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-23 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-07-06 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 AVerA16B;AVerA16B service;c:\windows\system32\drivers\AVerA16B.sys [2005-12-19 837888]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-23 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-23 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2008-12-23 1339600]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-17 729416]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-27 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-10-02 15576]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-11 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []

2009-01-12 c:\windows\Tasks\User_Feed_Synchronization-{020D8529-C620-4F98-9AE9-DC4EE5A46B75}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add RSS Support Site to VAIO Information FLOW - c:\program files\Sony\VAIO Information FLOW\aiesc.html
IE: E&xport to Microsoft Excel
IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: eurostore.adobe.com
Trusted Zone: istore.adobe.com
Trusted Zone: www.club-vaio.com
Trusted Zone: www.hotmail.com
Trusted Zone: www.moodlogic.com
Trusted Zone: *.sony-europe.com
Trusted Zone: www.club-vaio.sony-europe.com
Trusted Zone: www.vaio.sony-europe.com
Trusted Zone: *.sonystyle-europe.com
Trusted Zone: shop.sonystyle-europe.com
Trusted Zone: www.sonystyle-europe.com
Trusted Zone: www.symantecstore.com
Trusted Zone: www.tvtv.co.uk
Trusted Zone: www.tvtv.de
Trusted Zone: www.tvtv.es
Trusted Zone: www.tvtv.fr
Trusted Zone: www.tvtv.it
Trusted Zone: www.tvtv.nl
Trusted Zone: www.utimaco.com
Trusted Zone: *.vaio-link.com
Trusted Zone: *.personals.yahoo.com
Trusted Zone: *.rd.yahoo.com

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\system32\atl.dll - c:\windows\Downloaded Program Files\VoxsyncX.dll
O16 -: {3E82BB3F-ABE4-458D-9281-0187286A4E51}
hxxp://web.contacts.orange.co.uk/wuk_webab/VoxsyncX.cab
c:\windows\Downloaded Program Files\VoxsyncX.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 11:31:22
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Sony\Internet Explorer Remote Control Extension\tfphrase.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Sony\Click to DVD 2\ctdatsvr.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
c:\program files\DigiGuide TV Guide\DigiGuide.exe
c:\program files\Spyware Doctor\swdsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-01-12 11:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 11:37:46

Pre-Run: 88,181,432,320 bytes free
Post-Run: 88,131,530,752 bytes free

288 --- E O F --- 2008-12-19 00:30:49

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:46 PM

Posted 12 January 2009 - 05:52 PM

Hello, a12th99
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    EXTRA::
    driver::
    yeddef
    file::
    c:\windows\system32\WSBar.dll
    folder::
    c:\program files\ORANGE
    DDS::
    IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
    IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
    Trusted Zone: eurostore.adobe.com
    Trusted Zone: istore.adobe.com
    Trusted Zone: www.club-vaio.com
    Trusted Zone: www.hotmail.com
    Trusted Zone: www.moodlogic.com
    Trusted Zone: *.sony-europe.com
    Trusted Zone: www.club-vaio.sony-europe.com
    Trusted Zone: www.vaio.sony-europe.com
    Trusted Zone: *.sonystyle-europe.com
    Trusted Zone: shop.sonystyle-europe.com
    Trusted Zone: www.sonystyle-europe.com
    Trusted Zone: www.symantecstore.com
    Trusted Zone: www.tvtv.co.uk
    Trusted Zone: www.tvtv.de
    Trusted Zone: www.tvtv.es
    Trusted Zone: www.tvtv.fr
    Trusted Zone: www.tvtv.it
    Trusted Zone: www.tvtv.nl
    Trusted Zone: www.utimaco.com
    Trusted Zone: *.vaio-link.com
    Trusted Zone: *.personals.yahoo.com
    Trusted Zone: *.rd.yahoo.com
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 12 January 2009 - 08:54 PM

Hi Billy,

Thank you for further instructions. Here is the log:

ComboFix 09-01-11.04 - alvin 2009-01-13 1:30:42.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.396 [GMT 0:00]
Running from: c:\documents and settings\alvin\Desktop\SCAN 211208\ComboFix.exe
Command switches used :: c:\documents and settings\alvin\Desktop\SCAN 211208\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\WSBar.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ORANGE
c:\program files\ORANGE\Internet Orange Synchronisation\account.dflt.uib
c:\program files\ORANGE\Internet Orange Synchronisation\addremove.ico
c:\program files\ORANGE\Internet Orange Synchronisation\CoAddressBook.dll
c:\program files\ORANGE\Internet Orange Synchronisation\CoHttp.dll
c:\program files\ORANGE\Internet Orange Synchronisation\common.uib
c:\program files\ORANGE\Internet Orange Synchronisation\DataEncoding.dll
c:\program files\ORANGE\Internet Orange Synchronisation\DbManager.dll
c:\program files\ORANGE\Internet Orange Synchronisation\DbVoxC.dll
c:\program files\ORANGE\Internet Orange Synchronisation\device\VoxMobili.AddressBook.xml
c:\program files\ORANGE\Internet Orange Synchronisation\device\VoxMobili.Outlook8.xml
c:\program files\ORANGE\Internet Orange Synchronisation\device\VoxMobili.Outlook9.xml
c:\program files\ORANGE\Internet Orange Synchronisation\ID.uib
c:\program files\ORANGE\Internet Orange Synchronisation\libexpat.dll
c:\program files\ORANGE\Internet Orange Synchronisation\Log\InstallLogFile.txt
c:\program files\ORANGE\Internet Orange Synchronisation\Log\LogError.txt
c:\program files\ORANGE\Internet Orange Synchronisation\Log\LogStart.txt
c:\program files\ORANGE\Internet Orange Synchronisation\Log\LogUsage.txt
c:\program files\ORANGE\Internet Orange Synchronisation\LogStart.txt
c:\program files\ORANGE\Internet Orange Synchronisation\mapping\0-524828412.0-260496500.SYNC_SRV_MAPPING_ADDRESS
c:\program files\ORANGE\Internet Orange Synchronisation\mapping\0-524828412.0-260496500.SYNC_SRV_MAPPING_ADDRESS.INF
c:\program files\ORANGE\Internet Orange Synchronisation\MappingTxt.dll
c:\program files\ORANGE\Internet Orange Synchronisation\MemoryAdapter.dll
c:\program files\ORANGE\Internet Orange Synchronisation\MessagesEN.txt
c:\program files\ORANGE\Internet Orange Synchronisation\MessagesFR.txt
c:\program files\ORANGE\Internet Orange Synchronisation\RessourcesEN.txt
c:\program files\ORANGE\Internet Orange Synchronisation\RessourcesFR.txt
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\AboutImage.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\AboutLogo.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\AnimBackground.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\Database.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\JournalTBLarge.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\Lock.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\MainIcon.ico
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\MainTBLarge.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\MainTBLargeGrey.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\MainTBSmall.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\MainTBSmallGrey.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\PimLarge.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\PimSmall.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\Status.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\SyncAnim.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\SyncType.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\TrayAnim.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\TrayIcon.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\UpdateDetailsLogo.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SKINS\Vox\UpdateMainLogo.bmp
c:\program files\ORANGE\Internet Orange Synchronisation\SyncAdapter.dll
c:\program files\ORANGE\Internet Orange Synchronisation\SyncEngine.dll
c:\program files\ORANGE\Internet Orange Synchronisation\SyncEngineClient.dll
c:\program files\ORANGE\Internet Orange Synchronisation\SyncLauncher.dll
c:\program files\ORANGE\Internet Orange Synchronisation\syncupdate.pub
c:\program files\ORANGE\Internet Orange Synchronisation\ToolkitN.dll
c:\program files\ORANGE\Internet Orange Synchronisation\TptManager.dll
c:\program files\ORANGE\Internet Orange Synchronisation\ui.dflt.uib
c:\program files\ORANGE\Internet Orange Synchronisation\UITools.dll
c:\program files\ORANGE\Internet Orange Synchronisation\uninstall.ico
c:\program files\ORANGE\Internet Orange Synchronisation\UtAddressBook.dll
c:\program files\ORANGE\Internet Orange Synchronisation\UtOutlook9.dll
c:\program files\ORANGE\Internet Orange Synchronisation\Vox40.DevInf.xml
c:\program files\ORANGE\Internet Orange Synchronisation\VoxLib.dll
c:\program files\ORANGE\Internet Orange Synchronisation\VoxLibConnectors.dll
c:\program files\ORANGE\Internet Orange Synchronisation\VoxLibEncrypt.dll
c:\program files\ORANGE\Internet Orange Synchronisation\VoxPim.DeviceList.xml
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsync.exe
c:\program files\ORANGE\Internet Orange Synchronisation\VoxSync.xml
c:\program files\ORANGE\Internet Orange Synchronisation\VOXSYNC_en.GID
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsync_en.hlp
c:\program files\ORANGE\Internet Orange Synchronisation\VOXSYNC_FR.HLP
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsyncen.dll
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsynchost.1.3770138884.3928571130\0-524828412.AddressBook.Address
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsynchost.1.3770138884.3928571130\0-524828412.AddressBook.Address.INF
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsynchost.1.3770138884.3928571130\AddressBook.DevInfInfos
c:\program files\ORANGE\Internet Orange Synchronisation\Voxsynchost.1.3770138884.3928571130\AddressBook.DevInfInfos.Ext
c:\program files\ORANGE\Internet Orange Synchronisation\VPMLLib.dll
c:\program files\ORANGE\Internet Orange Synchronisation\VSPLib.dll
c:\program files\ORANGE\Internet Orange Synchronisation\WinHttpAdapter.dll
c:\program files\ORANGE\Patch\INSTALL.LOG
c:\program files\ORANGE\Patch\OrangeConnectionKit.exe
c:\program files\ORANGE\setup\IEBranding.exe
c:\program files\ORANGE\setup\INSTALL.LOG
c:\program files\ORANGE\setup\Orange.ico
c:\windows\system32\WSBar.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AVG
-------\Service_yeddef


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2008-12-28 02:24 . 2008-12-28 02:24 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-25 23:56 . 2008-12-25 23:56 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-12-25 23:56 . 2008-12-25 23:56 <DIR> d-------- c:\documents and settings\alvin\Application Data\SUPERAntiSpyware.com
2008-12-25 23:56 . 2008-12-25 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-24 21:20 . 2008-12-24 21:20 <DIR> d-------- C:\fsaua.data
2008-12-23 04:53 . 2009-01-12 23:53 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-23 04:53 . 2008-12-24 01:39 <DIR> d-------- c:\documents and settings\alvin\Application Data\AVGTOOLBAR
2008-12-23 04:53 . 2008-12-23 04:53 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-23 04:53 . 2008-12-23 04:53 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-23 04:53 . 2008-12-23 04:53 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2008-12-23 04:53 . 2008-12-23 04:53 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-23 04:52 . 2008-12-23 04:52 50,968 --a------ c:\windows\system32\avgfwdx.dll
2008-12-23 04:52 . 2008-12-23 04:52 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2008-12-23 03:41 . 2008-12-23 03:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-23 03:41 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-23 03:41 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 01:36 --------- d-----w c:\documents and settings\alvin\Application Data\OpenOffice.org2
2009-01-13 01:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-13 01:11 --------- d-----w c:\program files\Mozilla Thunderbird
2009-01-12 19:11 --------- d-----w c:\program files\DigiGuide TV Guide
2009-01-12 03:33 --------- d-----w c:\documents and settings\alvin\Application Data\Simple Sudoku
2008-12-28 02:24 --------- d-----w c:\program files\Java
2008-12-27 17:45 --------- d-----w c:\program files\Google
2008-12-25 23:55 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 04:52 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-17 16:26 --------- d-----w c:\program files\Zinio
2008-12-17 16:26 --------- d-----w c:\program files\Common Files\Zinio
2008-12-16 20:23 --------- d-----w c:\documents and settings\alvin\Application Data\ContentGuard
2008-11-28 21:15 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2008-11-28 21:07 --------- d-----w c:\documents and settings\All Users\Application Data\Channel4
2007-03-11 18:09 3,094 ----a-w c:\documents and settings\alvin\Application Data\wklnhst.dat
2006-10-14 19:44 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-06-10 02:32 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061020080611\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\program files\Wanadoo\Setup\Check.exe" [2005-07-19 126427]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-10 61440]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2006-10-23 40048]
"SDTray"="c:\program files\Spyware Doctor\SDTrayApp.exe" [2007-08-14 1063752]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-17 185896]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE" [2002-05-24 357376]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-23 1601304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-28 29744]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\alvin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-09 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2007-05-10 738968]
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2005-08-10 61440]
Audio Filter.lnk - c:\program files\Sony\sonicstage mastering studio\audio filter\SSMSFilter.exe [2005-12-21 5649408]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-06-09 471040]
Internet Explorer Remote Control Extension.lnk - c:\program files\Sony\Internet Explorer Remote Control Extension\tfcmd.exe [2005-12-20 81920]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2008-12-23 04:53 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-12-23 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-23 324872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-23 107272]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-07-06 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-04 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-04 55024]
R3 AVerA16B;AVerA16B service;c:\windows\system32\drivers\AVerA16B.sys [2005-12-19 837888]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-23 903960]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-23 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2008-12-23 1339600]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [2007-08-17 729416]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2008-12-23 29208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-27 29744]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-10-02 15576]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-11 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe []

2009-01-13 c:\windows\Tasks\User_Feed_Synchronization-{020D8529-C620-4F98-9AE9-DC4EE5A46B75}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add RSS Support Site to VAIO Information FLOW - c:\program files\Sony\VAIO Information FLOW\aiesc.html
IE: E&xport to Microsoft Excel
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: eurostore.adobe.com
Trusted Zone: istore.adobe.com
Trusted Zone: www.club-vaio.com
Trusted Zone: www.hotmail.com
Trusted Zone: www.moodlogic.com
Trusted Zone: *.sony-europe.com
Trusted Zone: www.club-vaio.sony-europe.com
Trusted Zone: www.vaio.sony-europe.com
Trusted Zone: *.sonystyle-europe.com
Trusted Zone: shop.sonystyle-europe.com
Trusted Zone: www.sonystyle-europe.com
Trusted Zone: www.symantecstore.com
Trusted Zone: www.tvtv.co.uk
Trusted Zone: www.tvtv.de
Trusted Zone: www.tvtv.es
Trusted Zone: www.tvtv.fr
Trusted Zone: www.tvtv.it
Trusted Zone: www.tvtv.nl
Trusted Zone: www.utimaco.com
Trusted Zone: *.vaio-link.com
Trusted Zone: *.personals.yahoo.com
Trusted Zone: *.rd.yahoo.com

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\system32\atl.dll - c:\windows\Downloaded Program Files\VoxsyncX.dll
O16 -: {3E82BB3F-ABE4-458D-9281-0187286A4E51}
hxxp://web.contacts.orange.co.uk/wuk_webab/VoxsyncX.cab
c:\windows\Downloaded Program Files\VoxsyncX.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 01:37:25
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Sony\Internet Explorer Remote Control Extension\tfphrase.exe
c:\orange\Orangeconnectionkit\atdialler1.exe
c:\program files\Sony\VAIO Action Setup\VAServ.exe
c:\program files\Spyware Doctor\swdsvc.exe
c:\program files\Sony\Click to DVD 2\ctdatsvr.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.bin
c:\program files\DigiGuide TV Guide\DigiGuide.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-01-13 1:43:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 01:43:23
ComboFix2.txt 2009-01-12 11:37:53

Pre-Run: 88,062,095,360 bytes free
Post-Run: 88,067,133,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

342 --- E O F --- 2008-12-19 00:30:49

Attached Files



#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:46 PM

Posted 12 January 2009 - 10:30 PM

Hello, a12th99
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:46 PM

Posted 15 January 2009 - 08:34 PM

Hello, a12th99
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 16 January 2009 - 12:30 PM

Hello Billy,

Please excuse the unavoidable delay. I'm attaching an error report from late last evening. Is it relevant?

Here's the ESET OnlineScan's Log:

tks/rgds,

a12th99



# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3772 (20090116)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5f50ca414aa55c4e93703fb9f69c316f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-16 05:16:06
# local_time=2009-01-16 05:16:06 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=691174
# found=0
# scan_time=5584

Attached Files



#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:46 PM

Posted 16 January 2009 - 01:03 PM

Hello, a12th99
No problem :thumbsup:

Only reason I go looking is we get OPs who occasionally drop off the face of the earth ;)

Everything looks good from here. However, since you were having issues with your email apps, I'd like to run one more (optional) check which will be better able to look at the emails you have.

Before running this scan, please EMPTY the "Spam" and "Deleted Items" folders in your email client. This in and of itself may fix your issues with mail being sent.

Finally, please let me know how things are running. :) Do you have any remaining issues?

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • Kaspersky's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#12 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 17 January 2009 - 02:40 AM

Hello Billy,

I'm here again.

My major concern is about anyone who can send mail to me supposedly from myself, & to others also from me (I get non-delivery messages for mail which I didn't send). How much more can they do? Might they have access to my files & be able to track my passwords, contacts, etc?

Beyond that there are just minor concerns mentioned earlier:
  • When I closed IE after downloading but before running ComboFix.exe I got the box attached on 12 January 2009. The numbers changed each time I clicked on it & eventually it disappeared. Is this significant?
  • In addition to AVG Internet Security, I am running Spybot & Spyware Doctor. I also have Spyware Blaster de-activated. Should I update and activate Spyware Blaster to run alongside the other three?
Thank you,

a12th99

Here's today's Kaspersky's Log:

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 17, 2009Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)Kaspersky Online Scanner 7 version: 7.0.25.0Program database last update: Saturday, January 17, 2009 02:11:53Records in database: 1633855

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\D:\E:\G:\H:\I:\J:\

Scan statistics
Files scanned 122303
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 02:37:22

No malware has been detected. The scan area is clean.
The selected area was scanned.

#13 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:02:46 PM

Posted 17 January 2009 - 09:37 AM

Hello, a12th99

My major concern is about anyone who can send mail to me supposedly from myself, & to others also from me (I get non-delivery messages for mail which I didn't send). How much more can they do? Might they have access to my files & be able to track my passwords, contacts, etc?

There are quite a few ways to make outlook send messages without actually compromising the machine,

For example, if you get a spam message which requests a read recipt, it will be sent, wether you want ot to or not.

If you're getting delivery status failed messages, then someone may be sending mails with your address stamped on them. Nothing says that the From: field is actually where a message comes from.

If a malware bot somewhere else sends an invalid mail with that address, the bounce back will come back to you, not the origonal sender.

I closed IE after downloading but before running ComboFix.exe I got the box attached on 12 January 2009. The numbers changed each time I clicked on it & eventually it disappeared. Is this significant?

I don't honestly know.

In addition to AVG Internet Security, I am running Spybot & Spyware Doctor. I also have Spyware Blaster de-activated. Should I update and activate Spyware Blaster to run alongside the other thrree

Yes, I would use Spyware Blaster. In addition, I would uninstall Spybot and replace it with either SuperAntiSpyware or Malware Bytes Anti Malware (Preferably the second one).

Download links and more information below.

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#14 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 18 January 2009 - 06:26 PM

Hello Billy,

Thank you for your patient guidance and for your reassuramce that I'm clean.

I won't be able to follow your latest instructions until late on Monday. Please keep this thread open so that I can report back when I've completed this exercise.

tks/rgds,

a12th99

#15 a12th99

a12th99
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 20 January 2009 - 06:46 AM

Hello Billy,

I've woked through your instructions and I feel much safer now; thank you v much for your help.

All's well except for some difficulties with my browser. I think they're caused by last week's Microsoft update, & will follow up in the forum or with my ISP.

tks/rgds,

a12th99




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users