Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/AgentBypass.gen!K


  • This topic is locked This topic is locked
16 replies to this topic

#1 christos4487

christos4487

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 07 January 2009 - 04:19 PM

Hi,

My Windows Defender picked up that I have a Trojan:Win32/AgentBypass.gen!K Trojan and allows me to remove it. However, whenever I restart Windows XP, the warning message returns. My laptop has shown no other symptoms so far.

I have Norton Internet Security 2008 (most up to date version), and it has not been picked up by this.

I ran a Malwarebyte scan and it produced these logs:

QUICK SCAN:

Malwarebytes' Anti-Malware 1.32
Database version: 1627
Windows 5.1.2600 Service Pack 3

07/01/2009 10:18:30
mbam-log-2009-01-07 (10-18-30).txt

Scan type: Quick Scan
Objects scanned: 69250
Time elapsed: 15 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Chris Turner\results.txt (Malware.Trace) -> Quarantined and deleted successfully.



The Complete Scan showed these results:

Malwarebytes' Anti-Malware 1.32
Database version: 1627
Windows 5.1.2600 Service Pack 3

07/01/2009 12:45:52
mbam-log-2009-01-07 (12-45-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 168860
Time elapsed: 2 hour(s), 13 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected).





I then ran SuperAntiSpy which provided this log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2009 at 08:02 PM

Application Version : 4.24.1004

Core Rules Database Version : 3698
Trace Rules Database Version: 1674

Scan type : Complete Scan
Total Scan Time : 04:13:48

Memory items scanned : 171
Memory threats detected : 0
Registry items scanned : 7589
Registry threats detected : 0
File items scanned : 131990
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@revsci[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@content.yieldmanager.edgesuite[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@revenue[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@uk.at.atwola[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@content.yieldmanager[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@2o7[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@atwola[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@casalemedia[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@ad.yieldmanager[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@aoluk.122.2o7[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@apmebf[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@questionmarket[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@bluestreak[1].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@tacoda[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@at.atwola[2].txt
C:\Documents and Settings\Chris Turner\Cookies\chris_turner@content.yieldmanager[3].txt

Trojan.Security Toolbar
C:\Documents and Settings\Chris Turner\Favorites\Antivirus Test Online.url



None of these have resolved the issue.

Here are the DDS logs:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Chris Turner at 21:08:02.60 on 07/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.126 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\autoclk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Common Files\AOL\1226153689\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Sony\VAIO Entertainment\VzTrayIcon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Chris Turner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.co.uk/aolbroadband
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.vaio-link.com/vu.asp?l=en&u=m&h=0809
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Broadband Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Reminder] d:\program files\microsoft money\system\reminder.exe
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Free Uploader Oe Integration] c:\program files\free download manager\fum\fumoei.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\chris turner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [autoclk] autoclk.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [AcctMgr] c:\program files\norton password manager\AcctMgr.exe /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
mRun: [HostManager] c:\program files\common files\aol\1226153689\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\hddtem~1.lnk - c:\program files\palicksoft\hdd temperature\HDDTemperature.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\sony\vaio entertainment\VzTrayIcon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol broadband toolbar 5.0\resources\en-gb\local\search.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
Trusted Zone: xfm.co.uk\www
TCP: {54DF9F66-E4CC-483A-9676-8640DBF0E2BB} = 205.188.146.145
TCP: {6B7F682E-7730-4931-9175-3DC5DE815D5A} = 192.168.125.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\stqjmawa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\chris turner\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPsplsvp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: g:\program files\itunes\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-22 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\NAVENG.SYS [2009-1-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\NAVEX15.SYS [2009-1-7 876112]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-1 71961]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-2-18 66048]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-19 1245064]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\christ~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\christ~1\locals~1\temp\DMSKSSRh.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-7 38496]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-3-1 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [2005-3-1 7520]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-2-18 167808]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-2-18 13532]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-01-07 15:36 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 15:35 <DIR> --d----- c:\docume~1\christ~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 09:27 <DIR> --d----- c:\docume~1\christ~1\applic~1\Malwarebytes
2009-01-07 09:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 09:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 09:26 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 09:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 10:26 0 a------- c:\windows\system32\pÁm
2008-12-25 22:48 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2009-01-06 19:05 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 19:05 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-14 21:16 118,784 a------- c:\windows\web\wallpaper\club VAIO desktop bubbles.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-07-14 09:55 308,600 ac------ c:\docume~1\alluse~1\applic~1\NortonProtectionMemo.exe
2007-03-14 15:53 77,272 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2008-07-22 17:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072220080723\index.dat

============= FINISH: 21:09:10.67 ===============




Many thanks to whoever can help!

Chris.

Attached Files



BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 13 January 2009 - 05:35 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Download and Run DDS
If you already have a copy of DDS, there is not need to download a new one.

Download DDS by sUBs from any of the links below:
DDS.com, DDS.scr, DDS.pif

Double click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".
When the scan is finished, two logs will open.
Post DDS.txt directly into your reply. Attach Attach.txt.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. If you are using Windows Vista, right click the icon and select "Run as Administrator". Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
Please tell me what changes have been made to the computer since your topic was started. Also give me an update on any symptoms.

With Regards,
The Panda

#3 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 14 January 2009 - 05:35 AM

Hi there, thanks for your reply. There have been no new symptoms since my original post, and I have not altered any settings.

Here is the DDS log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Chris Turner at 10:08:11.98 on 14/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.409 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\autoclk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Common Files\AOL\1226153689\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Sony\VAIO Entertainment\VzTrayIcon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Documents and Settings\Chris Turner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.co.uk/aolbroadband
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.vaio-link.com/vu.asp?l=en&u=m&h=0809
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Broadband Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Reminder] d:\program files\microsoft money\system\reminder.exe
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Free Uploader Oe Integration] c:\program files\free download manager\fum\fumoei.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\chris turner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [autoclk] autoclk.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [AcctMgr] c:\program files\norton password manager\AcctMgr.exe /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
mRun: [HostManager] c:\program files\common files\aol\1226153689\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\hddtem~1.lnk - c:\program files\palicksoft\hdd temperature\HDDTemperature.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\sony\vaio entertainment\VzTrayIcon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol broadband toolbar 5.0\resources\en-gb\local\search.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
Trusted Zone: xfm.co.uk\www
TCP: {6B7F682E-7730-4931-9175-3DC5DE815D5A} = 192.168.125.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\stqjmawa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\chris turner\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPsplsvp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: g:\program files\itunes\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-22 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090113.049\NAVENG.SYS [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090113.049\NAVEX15.SYS [2009-1-14 876112]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-1 71961]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-2-18 66048]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-19 1245064]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\christ~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\christ~1\locals~1\temp\DMSKSSRh.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-7 38496]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-3-1 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [2005-3-1 7520]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-2-18 167808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-2-18 13532]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-01-07 15:36 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 15:35 <DIR> --d----- c:\docume~1\christ~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 09:27 <DIR> --d----- c:\docume~1\christ~1\applic~1\Malwarebytes
2009-01-07 09:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 09:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 09:26 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 09:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 10:26 0 a------- c:\windows\system32\pÁm
2008-12-25 22:48 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2009-01-06 19:05 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 19:05 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-14 21:16 118,784 a------- c:\windows\web\wallpaper\club VAIO desktop bubbles.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-07-14 09:55 308,600 ac------ c:\docume~1\alluse~1\applic~1\NortonProtectionMemo.exe
2007-03-14 15:53 77,272 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2008-07-22 17:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072220080723\index.dat

============= FINISH: 10:08:55.03 ===============

Attached are the DDS Attach and GMER logs.

Thanks for your help,

Chris.

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 14 January 2009 - 12:03 PM

Hello.

There does appear to be sings of infection.

Disable Realtime Protection
Antimalware programs can interfere with the tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through Add/Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "autoclk"=-
    
    :files
    C:\windows\autoclk.exe
    c:\windows\system32\autoclk.exe
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

Please post back with:
-the OTMoveIt log
-the F-Secure scan log
-a new DDS log (just DDS.txt)

Are you still getting those warnings? If so, please tell me what file is being flagged.

With Regards,
The Panda

#5 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 14 January 2009 - 06:09 PM

Hi Panda, thanks for your help so far. After performing all you have said, the trojan is still picked up by Windows Messenger when my Windows XP laptop loads.

Here are all the logs:

OTMoveIT log:

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\autoclk deleted successfully.
========== FILES ==========
C:\windows\autoclk.exe moved successfully.
File/Folder c:\windows\system32\autoclk.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\CMLS--2009-01-14--20-05-09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Perflib_Perfdata_10dc.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET5A5F.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JETC610.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_1dc.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_90c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_944.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_ed4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01142009_204047

Files moved on Reboot...
C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\CMLS--2009-01-14--20-05-09.log moved successfully.
File C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\Perflib_Perfdata_10dc.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\JET5A5F.tmp not found!
File C:\WINDOWS\temp\JETC610.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_1dc.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_90c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_944.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_ed4.dat not found!


Here is the F-Secure scan log:

Scanning Report
Wednesday, January 14, 2009 21:40:44 - 22:48:10
Computer name: CHRIS
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ G:\


--------------------------------------------------------------------------------

Result: 7 malware found
TrackingCookie.2o7 (spyware)
System
TrackingCookie.Atwola (spyware)
System
TrackingCookie.Tradedoubler (spyware)
System
TrackingCookie.Yieldmanager (spyware)
System
Trojan-Downloader.HTML.Agent.aq (virus)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\34EC4AC5.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\48CF632E.HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\NORTON ANTIVIRUS\QUARANTINE\4B9A4E1B.HTM (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 48356
System: 4262
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 3
Deleted: 0
None: 4
Submitted: 3
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSYS.DLL
C:\DOCUMENTS AND SETTINGS\CHRIS TURNER\APPLICATION DATA\SYMANTEC\NPMDATASTORE\CIMSTORE.XML

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.40.0
F-Secure Hydra: 2.8.8110, 2009-01-14
F-Secure AVP: 7.0.171, 2009-01-14
F-Secure Pegasus: 1.20.0, 2008-11-17
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics


Here is the DDS.text log:



DDS (Ver_09-01-07.01) - NTFSx86
Run by Chris Turner at 23:05:42.35 on 14/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.337 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Common Files\AOL\1226153689\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
D:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Sony\VAIO Entertainment\VzTrayIcon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Chris Turner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.co.uk/aolbroadband
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.vaio-link.com/vu.asp?l=en&u=m&h=0809
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Broadband Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Reminder] d:\program files\microsoft money\system\reminder.exe
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Free Uploader Oe Integration] c:\program files\free download manager\fum\fumoei.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Google Update] "c:\documents and settings\chris turner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [AcctMgr] c:\program files\norton password manager\AcctMgr.exe /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
mRun: [HostManager] c:\program files\common files\aol\1226153689\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\hddtem~1.lnk - c:\program files\palicksoft\hdd temperature\HDDTemperature.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\sony\vaio entertainment\VzTrayIcon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol broadband toolbar 5.0\resources\en-gb\local\search.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\free download manager\fum\fumiebtn.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
Trusted Zone: xfm.co.uk\www
TCP: {6B7F682E-7730-4931-9175-3DC5DE815D5A} = 192.168.125.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\stqjmawa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\chris turner\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPsplsvp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: g:\program files\itunes\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-22 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NAVENG.SYS [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NAVEX15.SYS [2009-1-14 876112]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-1 71961]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-2-18 66048]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-19 1245064]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\christ~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\christ~1\locals~1\temp\DMSKSSRh.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-7 38496]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-3-1 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [2005-3-1 7520]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-2-18 167808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-2-18 13532]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-01-14 21:03 <DIR> -cd----- C:\fsaua.data
2009-01-14 20:40 <DIR> -cd----- C:\_OTMoveIt
2009-01-14 10:09 250 a------- c:\windows\gmer.ini
2009-01-07 15:36 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 15:35 <DIR> --d----- c:\docume~1\christ~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 09:27 <DIR> --d----- c:\docume~1\christ~1\applic~1\Malwarebytes
2009-01-07 09:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 09:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 09:26 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 09:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 10:26 0 a------- c:\windows\system32\pÁm
2008-12-25 22:48 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2009-01-06 19:05 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 19:05 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-11-14 21:16 118,784 a------- c:\windows\web\wallpaper\club VAIO desktop bubbles.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-07-14 09:55 308,600 ac------ c:\docume~1\alluse~1\applic~1\NortonProtectionMemo.exe
2007-03-14 15:53 77,272 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2008-07-22 17:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072220080723\index.dat

============= FINISH: 23:06:31.39 ===============


Any other ideas??

Thanks, Chris.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 14 January 2009 - 06:42 PM

Hello Chris.

Please tell me what[ is being flagged. Is it a file? A registry item?

With Regards,
The Panda

#7 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 14 January 2009 - 06:46 PM

Hi, Windows Defender is picking up Trojan:Win32/AgentBypass.gen!K.

The only other information that it gives is: process: pid:936 (in the resources tab)

It doesnt say anything else I;m afraid!

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 14 January 2009 - 06:49 PM

Hello.

Windows Defender is very unhelpful sometimes.

Please try to take a screenshot of the warning. Scratch that.

Let's see what ComboFix can find. Please make sure your protection is disabled.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

With Regards,
The Panda

Edited by PropagandaPanda, 14 January 2009 - 06:51 PM.


#9 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 15 January 2009 - 05:09 AM

Here is the ComboFix log: My laptop did not restart when it finished.


ComboFix 09-01-13.04 - Chris Turner 2009-01-15 10:01:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.325 [GMT 0:00]
Running from: c:\documents and settings\Chris Turner\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 21:03 . 2009-01-14 21:03 <DIR> d----c--- C:\fsaua.data
2009-01-14 20:40 . 2009-01-14 20:40 <DIR> d----c--- C:\_OTMoveIt
2009-01-14 20:24 . 2009-01-14 20:24 <DIR> d-------- c:\program files\ERUNT
2009-01-14 10:09 . 2009-01-14 10:09 250 --a------ c:\windows\gmer.ini
2009-01-07 15:36 . 2009-01-07 15:36 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-07 15:35 . 2009-01-07 15:35 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-07 15:35 . 2009-01-07 15:35 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-07 15:35 . 2009-01-07 15:35 <DIR> d-------- c:\documents and settings\Chris Turner\Application Data\SUPERAntiSpyware.com
2009-01-07 09:27 . 2009-01-07 09:27 <DIR> d-------- c:\documents and settings\Chris Turner\Application Data\Malwarebytes
2009-01-07 09:26 . 2009-01-07 09:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 09:26 . 2009-01-07 09:26 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 09:26 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 09:26 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-06 14:43 . 2009-01-06 14:53 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-01 10:26 . 2009-01-01 10:26 0 --a------ c:\windows\system32\pÁm
2008-12-28 11:14 . 2008-12-28 11:14 <DIR> d----c--- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-25 22:50 . 2008-12-25 22:50 <DIR> d-------- c:\documents and settings\Chris Turner\Application Data\Amazon
2008-12-25 22:48 . 2008-12-25 22:48 <DIR> d-------- c:\program files\Amazon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 10:03 --------- dc----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-15 10:03 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 00:07 --------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-12 23:36 --------- d-----w c:\documents and settings\Chris Turner\Application Data\Free Download Manager
2009-01-07 09:54 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-06 19:05 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-06 19:05 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-06 19:05 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:05 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:05 --------- d-----w c:\program files\Symantec
2008-12-25 12:03 --------- d-----w c:\documents and settings\Chris Turner\Application Data\Apple Computer
2008-12-13 11:32 --------- d-----w c:\documents and settings\Chris Turner\Application Data\dvdcss
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 19:57 --------- dc----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-08 19:54 --------- d-----w c:\program files\Common Files\Apple
2008-12-08 19:49 --------- d-----w c:\program files\QuickTime
2008-12-06 07:39 --------- d-----w c:\program files\Java
2008-12-03 23:17 --------- d-----w c:\documents and settings\LocalService\Application Data\Sony Corporation
2008-11-23 22:42 --------- d-----w c:\documents and settings\Chris Turner\Application Data\U3
2008-11-14 21:16 118,784 ----a-w c:\windows\Web\Wallpaper\club VAIO desktop bubbles.exe
2008-11-10 05:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-07-14 09:55 308,600 -c--a-w c:\documents and settings\All Users\Application Data\NortonProtectionMemo.exe
2007-03-14 15:53 77,272 ----a-w c:\documents and settings\Chris Turner\Application Data\GDIPFONTCACHEV1.DAT
2008-06-30 12:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-07-22 17:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072220080723\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Reminder"="d:\program files\Microsoft Money\System\reminder.exe" [1998-07-25 36864]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2006-10-02 190024]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"Free Uploader Oe Integration"="c:\program files\Free Download Manager\FUM\fumoei.exe" [2007-06-10 40960]
"Google Update"="c:\documents and settings\Chris Turner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-25 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-14 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-02-14 53248]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-01-14 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-16 245760]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2008-07-14 71008]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"MessengerPlus3"="c:\program files\MessengerPlus! 3\MsgPlus.exe" [2006-10-02 190024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 339968]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"4oD"="c:\program files\Kontiki\KHost.exe" [2007-11-14 1032376]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-14 1032376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"AcctMgr"="c:\program files\Norton Password Manager\AcctMgr.exe" [2005-07-29 586896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"VAIO Update 4"="c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe" [2008-08-24 870240]
"HostManager"="c:\program files\Common Files\AOL\1226153689\ee\AOLSoftware.exe" [2008-06-24 41824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="g:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

c:\documents and settings\Chris Turner\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 217195]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-30 12:12 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\1226153689\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1226153689\\ee\\AOLDesktop.exe"=
"g:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-10-22 99376]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-03-01 71961]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-02-18 66048]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\CHRIST~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\CHRIST~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-07 38496]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-03-01 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [2005-03-01 7520]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-02-18 167808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-02-18 13532]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8acdcf8e-53ea-11dc-b19f-000fb5c4fad3}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8fe2fb76-025a-11dd-b304-00014a1d77ec}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af2c3c40-a735-11dd-b46e-00014a1d77ec}]
\Shell\AutoRun\command - qwultj1.bat
\Shell\explore\Command - qwultj1.bat
\Shell\open\Command - qwultj1.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8ce24f6-3f2b-11db-af69-000fb5c4fad3}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-129183706-597570609-2979122327-1006.job
- c:\documents and settings\Chris Turner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-25 08:38]

2009-01-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-01-12 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Chris Turner.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 05:05]

2009-01-15 c:\windows\Tasks\Symantec Drmc.job
- c:\program files\Common Files\Symantec Shared\SymDrmc.exe [2003-09-10 03:48]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.co.uk/aolbroadband
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.vaio-link.com/vu.asp?l=en&u=m&h=0809
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol broadband toolbar 5.0\resources\en-GB\local\search.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
IE: {{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - c:\program files\Free Download Manager\FUM\fumiebtn.dll
Trusted Zone: *.sony-europe.com
Trusted Zone: *.sonystyle-europe.com
Trusted Zone: *.vaio-link.com
Trusted Zone: www.xfm.co.uk
TCP: {6B7F682E-7730-4931-9175-3DC5DE815D5A} = 192.168.125.4

d:\program files\Samsung\Samsung PC Studio 3\UNICOWS.DLL - c:\windows\Downloaded Program Files\CONFLICT.1\ImageUploader5.ocx
O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3}
hxxp://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
c:\windows\Downloaded Program Files\CONFLICT.1\ImageUploader5.inf
FF - ProfilePath - c:\documents and settings\Chris Turner\Application Data\Mozilla\Firefox\Profiles\stqjmawa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\Chris Turner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPsplsvp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: g:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 10:03:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\DefaultPreset]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Adobe\\Premiere Standard\\Settings\\DV - NTSC\\Standard 48kHz.prpreset"

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\Help]
@DACL=(02 0000)
@SACL=
"AdobeMediaEncoder"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html"
"Contents"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html"
"ExportToDVD"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_13_2_0.html"
"HowToUse"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\0_0_0_0.html"
"Keyboard"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_4_15_0.html"
"Search"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\search.html"
"Support"="http://www.adobe.com/support/products/premiere.html"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):25,24,4f,77,b3,bf,37,a5,51,e6,d2,cd,0b,32,db,68,bc,c6,a0,57,6f,
f6,9e,9b,ca,9a,b4,45,09,ce,02,24,23,18,b7,60,73,43,fe,46,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{85047c08-b251-4e55-a6dc-fab5a1dbaae4}]
@Denied: (Full) (Everyone)
"Model"=dword:000000f5
"Therad"=dword:0000001f
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1356)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-01-15 10:07:01
ComboFix-quarantined-files.txt 2009-01-15 10:05:43

Pre-Run: 5,407,625,216 bytes free
Post-Run: 5,559,742,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

311 --- E O F --- 2009-01-15 00:07:12

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 15 January 2009 - 11:55 AM

Hello.

Download and Run FlashDisinfector
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :reg
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af2c3c40-a735-11dd-b46e-00014a1d77ec}]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Re-enable your protection at this time.

Are you still getting those warnings?

With Regards,
The Panda

#11 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 15 January 2009 - 01:23 PM

Hi, unfortunately the trojan is still here!!

Here is the OTMoveIt3 log:

========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af2c3c40-a735-11dd-b46e-00014a1d77ec}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01152009_173145

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 15 January 2009 - 03:38 PM

Hello.

Please uninstall Free Download Manager 2.5. Reboot, and tell me if the warning is present.

If so, post back a DDS.txt.

With Regards,
The Panda

#13 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 15 January 2009 - 05:28 PM

Hi! That has seemed to have done the trick! The warning has not reappeared and the trojan does not come back when scanning. Does this mean that I can not re-install the program? Could you tell me how you knew that the downloader program was responsible?

Thanks so much for your help Panda,

Chris.

Here is the DDS log:


DDS (Ver_09-01-07.01) - NTFSx86
Run by Chris Turner at 22:15:22.18 on 15/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.344 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Common Files\AOL\1226153689\ee\AOLSoftware.exe
C:\Program Files\Java\jre6\bin\jusched.exe
G:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Chris Turner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Sony\VAIO Entertainment\VzTrayIcon.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Documents and Settings\Chris Turner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.co.uk/aolbroadband
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.vaio-link.com/vu.asp?l=en&u=m&h=0809
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.5\CoIEPlg.dll
TB: AOL Broadband Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol broadband toolbar 5.0\aoltb.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Reminder] d:\program files\microsoft money\system\reminder.exe
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Google Update] "c:\documents and settings\chris turner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [HP Software Update] d:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [AcctMgr] c:\program files\norton password manager\AcctMgr.exe /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
mRun: [HostManager] c:\program files\common files\aol\1226153689\ee\AOLSoftware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "g:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\hddtem~1.lnk - c:\program files\palicksoft\hdd temperature\HDDTemperature.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dslmon.lnk - c:\program files\sagem\sagem f@st 800-840\dslmon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v2\WG111v2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\sony\vaio entertainment\VzTrayIcon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
IE: &AOL Toolbar Search - c:\program files\aol\aol broadband toolbar 5.0\resources\en-gb\local\search.html
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
Trusted Zone: xfm.co.uk\www
TCP: {6B7F682E-7730-4931-9175-3DC5DE815D5A} = 192.168.125.4
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\stqjmawa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\documents and settings\chris turner\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPsplsvp.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: g:\program files\itunes\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-10-22 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090115.004\NAVENG.SYS [2009-1-15 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090115.004\NAVEX15.SYS [2009-1-15 876112]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-1 71961]
R4 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2006-2-18 66048]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2008-1-25 149352]
R4 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-19 1245064]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\christ~1\locals~1\temp\dmskssrh.sys --> c:\docume~1\christ~1\locals~1\temp\DMSKSSRh.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-7 38496]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2005-3-1 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [2005-3-1 7520]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2006-2-18 167808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-2-18 13532]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-01-15 17:25 <DIR> acdshr-- C:\autorun.inf
2009-01-15 09:58 <DIR> acdshr-- C:\cmdcons
2009-01-15 09:57 161,792 a------- c:\windows\SWREG.exe
2009-01-15 09:57 98,816 a------- c:\windows\sed.exe
2009-01-14 21:03 <DIR> -cd----- C:\fsaua.data
2009-01-14 20:40 <DIR> -cd----- C:\_OTMoveIt
2009-01-14 10:09 250 a------- c:\windows\gmer.ini
2009-01-07 15:36 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-07 15:35 <DIR> --d----- c:\docume~1\christ~1\applic~1\SUPERAntiSpyware.com
2009-01-07 15:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-07 09:27 <DIR> --d----- c:\docume~1\christ~1\applic~1\Malwarebytes
2009-01-07 09:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 09:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 09:26 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-07 09:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 10:26 0 a------- c:\windows\system32\pÁm
2008-12-25 22:48 <DIR> --d----- c:\program files\Amazon

==================== Find3M ====================

2009-01-06 19:05 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-06 19:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-06 19:05 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-06 19:05 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-14 21:16 118,784 a------- c:\windows\web\wallpaper\club VAIO desktop bubbles.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-07-14 09:55 308,600 ac------ c:\docume~1\alluse~1\applic~1\NortonProtectionMemo.exe
2007-03-14 15:53 77,272 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2008-07-22 17:26 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072220080723\index.dat

============= FINISH: 22:15:59.85 ===============

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:22 AM

Posted 15 January 2009 - 05:33 PM

Hello Christos.

Great news.

Windows Defender suddenly started detecting "Trojan:Win32/AgentBypass.gen!K" after its virus definitions were updated a few days ago. There were quite a few topics in the forum where people were getting that detection.

After a bit of digging, I came across this topic.

As far as I know, that program is safe to use, and Windows Defender has a false detection.

Microsoft may or may not fix this problem.
----
Looks like you are good to go, unless you have any problems at this point.

I would consider uninstalling MessengerPlus! 3 because some versions came bundled with adware.

With Regards,
The Panda

#15 christos4487

christos4487
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 15 January 2009 - 05:47 PM

awesome, well thanks for your help. Should I uninstall any of the antimalware or combifix programs etc?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users