Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Too many problems to list


  • This topic is locked This topic is locked
10 replies to this topic

#1 bomber1712

bomber1712

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 05 February 2009 - 09:44 PM

OK, here's the issue. I have a Sony VIAO running XP SP1 512 RAM. I cannot update to SP2 or 3 due to the virus/trojan/ whatever. Anytime I try to access the internet, I get pop ups, or the computer freezes. I tried to run AVG, but cannot install due to SP1 and cannot update due to connection/virus issue. I am posting from a different computer.

First time here, so here goes:

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:04 PM, on 2/5/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\jswnw64r.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\rcnttkdj.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{BE-E4-4D-DF-DW}] C:\WINDOWS\system32\jswnw64r.exe DWram
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662E901F3D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E6C5813C477ACE
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\rcnttkdj.exe DWram
O4 - HKLM\..\Run: [98bbe470] rundll32.exe "C:\WINDOWS\System32\cxuktmfs.dll",b
O4 - HKLM\..\Run: [BM9b88d7ec] Rundll32.exe "C:\WINDOWS\System32\gngcumjr.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\rcnttkdj.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jswnw64r.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 10610 bytes






DDS Log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 20:28:57.38 on Thu 02/05/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.511.195 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\jswnw64r.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\rcnttkdj.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.sony.com/vaiopeople
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {22342b44-5b98-4b30-9d53-c182ad8df217} - c:\windows\system32\rqrspom.dll
BHO: : {382d1049-f595-487e-b900-b7b0c2ea0906} - c:\program files\windows nt\tewy89104.dll
BHO: {9c14f5b3-6ed6-4299-a049-42ca742f437c} - c:\windows\system32\awvwt.dll
BHO: {9ef023e7-702b-68aa-7384-a11bde7a397a}: {a793a7ed-b11a-4837-aa86-b2077e320fe9} - c:\windows\system32\wbgihkoo.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpySweeper] c:\program files\webroot\spy sweeper\SpySweeper.exe /0
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
uRun: [nvcoi] c:\program files\nvcoi\nvcoi.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -onlytray
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [{BE-E4-4D-DF-DW}] c:\windows\system32\jswnw64r.exe DWram
mRun: [runner1] c:\windows\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662E901F3D1DC7E4638E8323A15806F97BDE4417E6FD967002BA754E6C5813C477ACE
mRun: [ExploreUpdSched] c:\windows\system32\rcnttkdj.exe DWram
mRun: [98bbe470] rundll32.exe "c:\windows\system32\cxuktmfs.dll",b
mRun: [BM9b88d7ec] Rundll32.exe "c:\windows\system32\gngcumjr.dll",s
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\deewoo.lnk - c:\windows\system32\rcnttkdj.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\dw_start.lnk - c:\windows\system32\jswnw64r.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerp~1.lnk - c:\program files\powerpanel\program\PcfMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusschlacht.com
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: rqrspom - rqrspom.dll
SEH: {22342b44-5b98-4b30-9d53-c182ad8df217} - c:\windows\system32\rqrspom.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\awvwt.dll

============= SERVICES / DRIVERS ===============

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-11-7 71961]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2003-11-7 24618]

=============== Created Last 30 ================

2009-02-05 19:56 46,592 a------- c:\windows\system32\win32.exe
2009-02-05 19:48 <DIR> --d----- c:\program files\Trend Micro
2009-02-05 19:01 1,558,515 ---sh--- c:\windows\system32\sfmtkuxc.ini
2009-02-05 19:01 85,056 a------- c:\windows\system32\cxuktmfs.dll
2009-02-05 19:01 123,456 a------- c:\windows\system32\xlihjp.dll
2009-02-05 19:01 123,456 a------- c:\windows\system32\asbdpcvn.dll
2009-02-04 21:37 872 a------- c:\windows\system32\winpfz33.sys
2009-02-04 21:36 548,940 a------- c:\windows\system32\rcnttkdj.exe
2009-02-04 21:07 <DIR> --d----- C:\KPCMS
2009-02-04 21:07 <DIR> --d----- c:\program files\common files\Kodak
2009-02-04 19:31 <DIR> --d----- c:\program files\IObit
2009-02-04 19:26 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-04 19:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-02-05 20:28 446,916 a--sh--- c:\windows\system32\twvwa.ini2
2007-08-26 19:14 66,248 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:30:05.07 ===============



[attachment=13398:Attach.txt]

Not sure if the attach.txt is actually attached, but I tried. I am really good at following directions! Anyone that can help will be my hero!

BC AdBot (Login to Remove)

 


#2 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 07 February 2009 - 04:29 PM

FYI-I will re-post. I was able to update the computer to SP2, run AVG, ad-aware, and spybot. Found and fixed alot, I think. I still have some re-occuring issues, but will put a new post with a new DDS and HJT log.

#3 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 07 February 2009 - 10:45 PM

Title was: Trojan Downloader generic (6 variations); wimad.f; lop.4.a, I think I fixed all, but not sure. Someone PLZ look over my HJT Log
~ OB


I have a Sony Vaio running Win XP SP3. Had massive problems a couple of days ago. Ran windows updates, AVG, Spybot, and ad aware. Found over 70 trojans and other problems. Used the programs to clean/quarantine/repair.

I didn't do anything special, but now I don't get any strange behavior from the computer. AVG shows clean; spybot shows clean; ad-aware shows clean.

I have no idea how to read the following log, but I am pretty sure someone out there can take a quick look and let me know if I still have any problems.

Thanks in advance for your time and assistance.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:29:29 PM, on 2/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 10316 bytes


DDS Log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:31:55.58 on Sat 02/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.113 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [PcSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -onlytray
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_01\bin\jusched.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital

imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital

imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft

office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\powerp~1.lnk - c:\program files\powerpanel\program\PcfMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBC} - c:\program

files\java\j2re1.4.2_01\bin\npjpi142_01.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: storageguardsoft.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: storageguardsoft.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_01-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-7 64160]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-6 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-6 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-6 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-6 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2008-8-6

216032]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-11-7 71961]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2003-11-7 24618]

=============== Created Last 30 ================


==================== Find3M ====================

2009-02-07 16:22 83,031 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2007-08-26 19:14 66,248 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 21:33:25.47 ===============

Edited by Orange Blossom, 07 February 2009 - 11:40 PM.
Merged topics. ~ OB


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:34 PM

Posted 14 February 2009 - 06:01 PM

Hello, bomber1712
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :step4:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 15 February 2009 - 07:32 PM

I can't post the log inside the message, so I attached it. I was unable to close avg, so I ran combofix anyway. I will be eagerly awaiting your reply.

#6 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 15 February 2009 - 07:37 PM

Can't upload log because it's too big (700 KB). Can't include in post cause it's too big. I zipped it and included it as an attachment.

ComboFix 09-02-15.01 - Owner 2009-02-15 17:25:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.225 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-10 21:03 . 2009-02-10 21:04 1,374 --a------ c:\windows\imsins.BAK
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\windows\system32\scripting
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\windows\system32\en
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\windows\l2schemas
2009-02-07 15:38 . 2009-02-07 15:38 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-07 14:56 . 2008-04-13 18:12 712,704 --------- c:\windows\system32\windowscodecs.dll
2009-02-07 14:56 . 2008-04-13 18:12 346,112 --------- c:\windows\system32\windowscodecsext.dll
2009-02-07 14:56 . 2008-04-13 18:12 276,992 --------- c:\windows\system32\wmphoto.dll
2009-02-07 14:56 . 2008-04-13 18:12 69,120 --------- c:\windows\system32\wlanapi.dll
2009-02-07 14:54 . 2008-04-13 18:11 397,312 --------- c:\windows\system32\mmcex.dll
2009-02-07 14:53 . 2008-04-13 18:11 650,752 --------- c:\windows\system32\dot3ui.dll
2009-02-07 14:16 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-07 14:14 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-07 14:14 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-07 14:14 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-07 14:14 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-07 14:13 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 14:11 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-07 14:11 . 2008-12-11 04:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-07 14:11 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-02-07 14:10 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-02-07 14:10 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-02-07 14:08 . 2008-10-03 04:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-02-07 14:07 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-07 12:56 . 2009-02-07 11:42 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-07 11:42 . 2009-02-07 11:42 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-07 11:42 . 2009-02-07 11:42 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-07 11:40 . 2009-02-07 11:40 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 11:39 . 2009-02-07 11:39 <DIR> d-------- c:\program files\Lavasoft
2009-02-07 11:39 . 2009-02-07 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-06 23:57 . 2009-02-06 23:57 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-06 23:55 . 2009-02-06 23:55 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-06 23:55 . 2009-02-06 23:56 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-06 23:42 . 2009-02-07 17:26 <DIR> d-------- c:\documents and settings\Owner\Application Data\IObit
2009-02-06 23:26 . 2008-12-20 17:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-02-06 23:26 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 23:26 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-06 23:26 . 2008-12-20 17:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-02-06 23:26 . 2008-12-20 17:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-06 23:26 . 2008-12-20 17:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-02-06 23:26 . 2008-12-20 17:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-02-06 23:26 . 2008-12-20 17:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-06 23:26 . 2008-12-19 03:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-02-06 23:22 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2009-02-06 19:44 . 2009-02-10 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-06 19:43 . 2009-02-06 19:43 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-06 19:43 . 2009-02-06 19:43 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-06 19:43 . 2009-02-06 19:43 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-06 19:42 . 2009-02-15 17:20 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-06 19:42 . 2009-02-06 19:42 <DIR> d-------- c:\program files\AVG
2009-02-06 19:42 . 2009-02-06 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-06 18:58 . 2009-02-06 18:58 <DIR> d-------- c:\windows\provisioning
2009-02-06 18:58 . 2009-02-07 16:18 <DIR> d-------- c:\windows\peernet
2009-02-06 18:56 . 2009-02-07 16:19 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-06 18:51 . 2009-02-07 16:04 <DIR> d-------- c:\windows\EHome
2009-02-06 18:38 . 2009-02-06 18:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrium
2009-02-06 18:34 . 2009-02-06 18:34 <DIR> d-------- c:\program files\Macrium
2009-02-06 06:40 . 2009-02-06 06:40 275 --a------ c:\windows\wininit.ini
2009-02-05 19:48 . 2009-02-05 19:48 <DIR> d-------- c:\program files\Trend Micro
2009-02-05 19:22 . 2003-11-10 14:14 <DIR> d-------- c:\documents and settings\Administrator.VALUED-26C5C9DD\Application Data\Sony Corporation
2009-02-05 19:22 . 2009-02-06 19:43 <DIR> d-------- c:\documents and settings\Administrator.VALUED-26C5C9DD
2009-02-04 21:07 . 2009-02-04 21:07 <DIR> d-------- c:\program files\Apple Software Update
2009-02-04 21:07 . 2009-02-04 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-04 19:41 . 2003-11-10 14:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-02-04 19:41 . 2009-02-04 21:07 <DIR> d---s---- c:\documents and settings\Administrator
2009-02-04 19:31 . 2009-02-07 17:25 <DIR> d-------- c:\program files\IObit
2009-02-04 19:26 . 2009-02-05 22:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-04 19:26 . 2009-02-06 06:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-07 17:20 --------- d-----w c:\program files\Kodak
2009-02-07 04:48 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-02-06 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-02-06 01:40 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-02-05 03:07 --------- d-----w c:\program files\Google
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2007-08-27 01:14 66,248 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-02-06_23.17.35.14 )))))))))))))))))))))))))))))))))))))))))

REMOVED BY BILLY3

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 860160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-09-19 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-30 335872]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"DataLayer"="c:\program files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 819712]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 176128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 32873]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-07 509784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-11-10 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 19:43 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-05-20 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-06 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-06 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-11-07 71961]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2003-11-07 24618]
.
Contents of the 'Scheduled Tasks' folder

2009-02-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-07 11:41]

2007-06-10 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167091653.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]

2006-06-10 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-06-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-06-10 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 18:12]

2009-02-07 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-07 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-07 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: storageguardsoft.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: storageguardsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 17:28:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence"="REMOVED"
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-15 17:29:57
ComboFix-quarantined-files.txt 2009-02-15 23:29:54
ComboFix2.txt 2009-02-07 05:19:14

Pre-Run: 37,068,165,120 bytes free
Post-Run: 37,064,548,352 bytes free

8937 --- E O F --- 2009-02-11 03:11:36

Edited by Billy O'Neal, 16 February 2009 - 04:03 PM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:34 PM

Posted 16 February 2009 - 04:24 PM

Hello, bomber1712
We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/200978/too-many-problems-to-list/
    suspect::[54]
    c:\windows\system32\drivers\SonyPI.sys
    DDS::
    Trusted Zone: gomyhit.com
    Trusted Zone: imageservr.com
    Trusted Zone: imagesrvr.com
    Trusted Zone: storageguardsoft.com
    Trusted Zone: gomyhit.com
    Trusted Zone: imageservr.com
    Trusted Zone: imagesrvr.com
    Trusted Zone: storageguardsoft.com
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use +A)
  • Right-click again and chose "Copy" (or +C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ComboFix.txt
  • ESET OnlineScan's Log

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 16 February 2009 - 10:25 PM

First of all, Billy, THANKS!! I really appreciate your help in all of this! (should have said that in the last post, sorry!)

Now for the fireworks...ComboFix Log>>>>>>>>>>>>>>>>>>>>>>>

ComboFix 09-02-15.01 - Owner 2009-02-16 20:26:47.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.197 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-16 08:05 . 2009-02-16 08:05 270 --ah----- C:\aaw7boot.cmd
2009-02-15 18:36 . 2009-02-15 18:36 87,705 --a------ C:\ComboFix.zip
2009-02-10 21:03 . 2009-02-10 21:04 1,374 --a------ c:\windows\imsins.BAK
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\windows\system32\scripting
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\windows\system32\en
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\windows\l2schemas
2009-02-07 15:38 . 2009-02-07 15:38 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-07 14:56 . 2008-04-13 18:12 712,704 --------- c:\windows\system32\windowscodecs.dll
2009-02-07 14:56 . 2008-04-13 18:12 346,112 --------- c:\windows\system32\windowscodecsext.dll
2009-02-07 14:56 . 2008-04-13 18:12 276,992 --------- c:\windows\system32\wmphoto.dll
2009-02-07 14:56 . 2008-04-13 18:12 69,120 --------- c:\windows\system32\wlanapi.dll
2009-02-07 14:54 . 2008-04-13 18:11 397,312 --------- c:\windows\system32\mmcex.dll
2009-02-07 14:53 . 2008-04-13 18:11 650,752 --------- c:\windows\system32\dot3ui.dll
2009-02-07 14:16 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-02-07 14:14 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-07 14:14 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-07 14:14 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-07 14:14 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-02-07 14:13 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 14:11 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-07 14:11 . 2008-12-11 04:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-02-07 14:11 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-02-07 14:10 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-02-07 14:10 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-02-07 14:08 . 2008-10-03 04:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-02-07 14:07 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-02-07 12:56 . 2009-02-07 11:42 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-07 11:42 . 2009-02-07 11:42 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-02-07 11:42 . 2009-02-07 11:42 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-07 11:40 . 2009-02-07 11:40 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-07 11:39 . 2009-02-07 11:39 <DIR> d-------- c:\program files\Lavasoft
2009-02-07 11:39 . 2009-02-07 11:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-06 23:57 . 2009-02-06 23:57 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-06 23:55 . 2009-02-06 23:55 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-06 23:55 . 2009-02-06 23:56 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-06 23:42 . 2009-02-07 17:26 <DIR> d-------- c:\documents and settings\Owner\Application Data\IObit
2009-02-06 23:26 . 2008-12-20 17:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll
2009-02-06 23:26 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 23:26 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-06 23:26 . 2008-12-20 17:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2009-02-06 23:26 . 2008-12-20 17:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2009-02-06 23:26 . 2008-12-20 17:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2009-02-06 23:26 . 2008-12-20 17:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2009-02-06 23:26 . 2008-12-20 17:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-06 23:26 . 2008-12-19 03:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2009-02-06 23:22 . 2007-08-13 18:54 33,792 --a--c--- c:\windows\system32\dllcache\custsat.dll
2009-02-06 19:44 . 2009-02-10 21:44 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-06 19:43 . 2009-02-06 19:43 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-06 19:43 . 2009-02-06 19:43 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-02-06 19:43 . 2009-02-06 19:43 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-06 19:42 . 2009-02-16 17:58 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-06 19:42 . 2009-02-06 19:42 <DIR> d-------- c:\program files\AVG
2009-02-06 19:42 . 2009-02-06 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-06 18:58 . 2009-02-06 18:58 <DIR> d-------- c:\windows\provisioning
2009-02-06 18:58 . 2009-02-07 16:18 <DIR> d-------- c:\windows\peernet
2009-02-06 18:56 . 2009-02-07 16:19 <DIR> d-------- c:\windows\ServicePackFiles
2009-02-06 18:51 . 2009-02-07 16:04 <DIR> d-------- c:\windows\EHome
2009-02-06 18:38 . 2009-02-06 18:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrium
2009-02-06 18:34 . 2009-02-06 18:34 <DIR> d-------- c:\program files\Macrium
2009-02-06 06:40 . 2009-02-06 06:40 275 --a------ c:\windows\wininit.ini
2009-02-05 19:48 . 2009-02-05 19:48 <DIR> d-------- c:\program files\Trend Micro
2009-02-05 19:22 . 2003-11-10 14:14 <DIR> d-------- c:\documents and settings\Administrator.VALUED-26C5C9DD\Application Data\Sony Corporation
2009-02-05 19:22 . 2009-02-06 19:43 <DIR> d-------- c:\documents and settings\Administrator.VALUED-26C5C9DD
2009-02-04 21:07 . 2009-02-04 21:07 <DIR> d-------- c:\program files\Apple Software Update
2009-02-04 21:07 . 2009-02-04 21:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-02-04 19:41 . 2003-11-10 14:14 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Corporation
2009-02-04 19:41 . 2009-02-04 21:07 <DIR> d---s---- c:\documents and settings\Administrator
2009-02-04 19:31 . 2009-02-07 17:25 <DIR> d-------- c:\program files\IObit
2009-02-04 19:26 . 2009-02-05 22:45 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-04 19:26 . 2009-02-06 06:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 00:26 --------- d-----w c:\program files\Google
2009-02-07 17:20 --------- d-----w c:\program files\Kodak
2009-02-07 04:48 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-02-06 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-02-06 01:40 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2007-08-27 01:14 66,248 ----a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot_2009-02-15_17.28.42.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-11 03:10:44 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-16 03:09:20 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-11 03:10:44 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-16 03:09:20 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-11 03:10:44 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-16 03:09:20 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-14 68856]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 860160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-01-09 2262352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-09-19 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-30 335872]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2003-08-14 90112]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"DataLayer"="c:\program files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 819712]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 176128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 32873]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-07 509784]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 c:\windows\system32\Ati2mdxx.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
PowerPanel.lnk - c:\program files\PowerPanel\Program\PcfMgr.exe [2003-11-10 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-06 19:43 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-07 64160]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-05-20 15328]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-06 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-06 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2003-11-07 71961]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2003-11-07 24618]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GUSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-07 11:41]

2007-06-10 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1167091653.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]

2006-06-10 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-06-10 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-06-10 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2008-04-13 18:12]

2009-02-07 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-01-14 13:15]

2009-02-07 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-02-07 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: storageguardsoft.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: storageguardsoft.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 20:28:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence"="REMOVED"
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-16 20:30:25
ComboFix-quarantined-files.txt 2009-02-17 02:30:22
ComboFix2.txt 2009-02-15 23:29:59
ComboFix3.txt 2009-02-07 05:19:14

Pre-Run: 37,085,929,472 bytes free
Post-Run: 37,078,233,088 bytes free

209 --- E O F --- 2009-02-11 03:11:36



And the Eset log>>>>>>>>>>>>>

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3858 (20090216)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=0eaf2e1b3b77df449e88492fb32e0c66
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-17 03:18:52
# local_time=2009-02-16 09:18:52 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=343974
# found=3
# scan_time=2135
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000


I will be eagerly awaiting my next instructions!

#9 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:34 PM

Posted 17 February 2009 - 04:54 PM

Hello, bomber1712
Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#10 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:02:34 PM

Posted 17 February 2009 - 11:33 PM

Billy,

Thank you so much! I am so grateful to you for helping me with this computer. Not sure what we did, but if you say it's fixed, I'll believe it!

Sincerely,

Bomber1712

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:34 PM

Posted 17 February 2009 - 11:48 PM

Hello, bomber1712
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users