Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntivirusPro_2010


  • This topic is locked This topic is locked
9 replies to this topic

#1 dougie77

dougie77

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 08 September 2009 - 09:02 PM

I've had this on my computer for a few days. I've tried removing it with the updated Malwarebytes Anti-Malware program, but it will not remove all of the programs and the virus reappears upon a restart. Any ideas what the next steps are? I appreciate any help anyone can provide.

Thank you,
Doug

Log files below:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Doug at 21:31:05.57 on Tue 09/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1009 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system\wcdvtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Everyday Auto Backup\AutoBackup.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Doug\sys32_nov.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost
C:\WINDOWS\Temp\wpv871252409370.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\9129837.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Doug\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [Aim6]
uRun: [Everyday Auto Backup] c:\program files\everyday auto backup\AutoBackup.exe /1
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [sys32_nov] c:\windows\temp\wpv871252409370.exe
uRun: [ttool] c:\windows\9129837.exe
uRun: [braviax]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [OWCWebCamDV] c:\windows\system\wcdvtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [sys32_nov] c:\windows\system32\sys32_nov.exe
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mRun: [braviax]
dRun: [brastk] c:\windows\system32\brastk.exe
StartupFolder: c:\documents and settings\doug\start menu\programs\startup\ikowin32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\everyd~1.lnk - c:\program files\everyday auto backup\AutoBackup.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Transfer by Image Converter 2 - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli avd12E.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\doug\applic~1\mozilla\firefox\profiles\ppnxso1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {D488A00A-B74B-4E84-B3E5-450ADC7C1851} - c:\documents and settings\doug\local settings\application data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-29 24652]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [2004-9-17 212608]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [2004-9-17 12672]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-27 33752]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-09-08 20:30 29,184 ac------ c:\windows\system32\dllcache\beep.sys
2009-09-08 20:30 29,184 a------- c:\windows\system32\drivers\beep.sys
2009-09-08 20:30 11,264 a------- c:\windows\system32\braviax.exe
2009-09-08 20:30 29,184 ac------ c:\windows\system32\dllcache\figaro.sys
2009-09-08 20:30 65,536 a------- c:\windows\9129837.exe
2009-09-08 20:30 16,851 a------- c:\windows\tuvacovu.sys
2009-09-08 20:30 13,643 a------- c:\docume~1\alluse~1\applic~1\ojuxul.vbs
2009-09-08 20:30 12,868 a------- c:\docume~1\doug\applic~1\dywato.vbs
2009-09-08 20:30 11,739 a------- c:\program files\common files\yqaquwatix.reg
2009-09-08 20:30 19,294 a------- c:\windows\system32\ytutosym.com
2009-09-08 20:30 19,013 a------- c:\program files\common files\osigoh.vbs
2009-09-08 20:30 18,976 a------- c:\windows\nefymoqo.sys
2009-09-08 20:30 18,167 a------- c:\windows\ymulefi.com
2009-09-08 20:30 12,168 a------- c:\windows\guxym._sy
2009-09-08 20:30 11,680 a------- c:\windows\ziqoj.pif
2009-09-08 19:38 13,650 a------- c:\docume~1\doug\applic~1\cijyr.reg
2009-09-08 19:38 13,444 a------- c:\windows\nabanu.exe
2009-09-08 19:38 11,438 a------- c:\windows\system32\kesonygeno._dl
2009-09-08 19:38 11,410 a------- c:\program files\common files\biveriku.vbs
2009-09-08 19:38 11,340 a------- c:\windows\katonogyq.dat
2009-09-08 19:38 10,976 a------- c:\docume~1\alluse~1\applic~1\digukuse.bin
2009-09-08 19:38 10,851 a------- c:\windows\system32\losasuxi.inf
2009-09-08 19:38 18,938 a------- c:\program files\common files\zoxi.scr
2009-09-08 19:38 17,047 a------- c:\windows\negy.bin
2009-09-08 19:38 15,402 a------- c:\windows\system32\nesejo.exe
2009-09-08 19:38 15,010 a------- c:\program files\common files\xuzyxebiwi.dat
2009-09-08 19:38 14,362 a------- c:\docume~1\alluse~1\applic~1\konazec.bin
2009-09-08 19:38 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-09-08 19:32 29,216 a------- c:\windows\system32\sys32_nov.exe
2009-09-04 07:26 11,151 a------- c:\windows\foce.inf
2009-09-03 22:35 120 a------- c:\windows\Cleya.dat
2009-09-03 22:12 19,981 a------- c:\windows\umyqehudi.inf
2009-09-03 22:12 19,416 a------- c:\docume~1\alluse~1\applic~1\ykyruxu.scr
2009-09-03 22:12 18,919 a------- c:\windows\vygyguqawy.exe
2009-09-03 22:12 18,326 a------- c:\docume~1\doug\applic~1\namywaqaf.pif
2009-09-03 22:12 16,512 a------- c:\program files\common files\tucu.bin
2009-09-03 22:12 16,374 a------- c:\windows\exynyzis.sys
2009-09-03 22:12 15,802 a------- c:\windows\pesy.scr
2009-09-03 22:12 13,963 a------- c:\windows\sypiqeryp.bin
2009-09-03 22:12 13,894 a------- c:\windows\hukekifo.dl
2009-09-03 22:12 12,299 a------- c:\windows\myqok.lib
2009-09-03 22:12 11,950 a------- c:\docume~1\doug\applic~1\isafopo.bin
2009-09-03 22:12 11,690 a------- c:\docume~1\doug\applic~1\orewil.scr
2009-09-03 22:06 94,272 ac------ c:\windows\system32\dllcache\agp440.sys
2009-09-03 22:05 29,216 a------- c:\documents and settings\doug\sys32_nov.exe
2009-08-15 12:00 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-15 03:04 <DIR> --d----- c:\windows\SxsCaPendDel
2009-08-12 08:29 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 08:29 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-09-08 20:30 94,272 a------- c:\windows\system32\drivers\agp440.sys
2009-09-08 20:30 14,178 a------- c:\program files\common files\itewed.inf
2009-09-08 19:38 13,665 a------- c:\program files\common files\ubakuk._sy
2009-09-08 19:38 13,075 a------- c:\program files\common files\gihomuham._dl
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2008-11-08 18:05 19,108 a------- c:\program files\common files\etycu.bat
2008-11-08 18:05 18,408 a------- c:\docume~1\doug\applic~1\uxahutazuq.bin
2008-11-08 18:05 16,250 a------- c:\program files\common files\coro.vbs
2008-11-08 18:05 12,393 a------- c:\program files\common files\habydibu.dl
2008-11-08 18:05 11,197 a------- c:\docume~1\alluse~1\applic~1\yderybumyj.exe
2008-11-07 19:33 19,277 a------- c:\docume~1\doug\applic~1\owaxukekej.dat
2008-11-07 19:33 14,890 a------- c:\docume~1\doug\applic~1\opilaleg.sys
2008-11-07 19:33 14,737 a------- c:\program files\common files\ojajajul.pif
2008-11-07 19:33 12,853 a------- c:\program files\common files\yqaxuxutu.reg
2008-11-07 19:33 15,472 a------- c:\docume~1\alluse~1\applic~1\nalubity.dat
2008-11-07 19:33 15,340 a------- c:\docume~1\alluse~1\applic~1\wapi.dll
2008-11-07 09:43 17,958 a------- c:\docume~1\doug\applic~1\jexisik.com
2008-11-07 09:43 16,254 a------- c:\docume~1\doug\applic~1\odyciny.vbs
2008-11-07 09:43 13,092 a------- c:\docume~1\alluse~1\applic~1\arene.com
2008-11-07 09:43 12,944 a------- c:\program files\common files\rizu.bat
2008-11-07 09:43 12,435 a------- c:\program files\common files\obixa.vbs
2008-11-03 07:50 14,483 a------- c:\program files\common files\tusyhow.db
2008-11-03 07:50 19,361 a------- c:\program files\common files\ciji.scr
2008-11-03 07:50 18,954 a------- c:\program files\common files\zymyvig.ban
2008-11-03 07:50 16,310 a------- c:\docume~1\alluse~1\applic~1\izigasof.com
2008-11-03 07:50 11,555 a------- c:\docume~1\doug\applic~1\jyfu.pif
2008-11-03 07:50 11,227 a------- c:\program files\common files\qokyvuxim.scr
2008-11-03 07:50 18,322 a------- c:\program files\common files\nujyq.ban
2008-11-03 07:50 14,554 a------- c:\program files\common files\epamo._dl
2007-10-31 15:09 1,105,920 a------- c:\documents and settings\doug\iTunesMobileDevice.dll
2007-03-25 19:46 56,912 a------- c:\documents and settings\doug\g2mdlhlpx.exe

============= FINISH: 21:31:57.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 09 September 2009 - 11:53 AM

Hi Doug,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Download RootRepeal.exe from one of these download locations and save it to your desktop:
http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Click Ok.
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


#3 dougie77

dougie77
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 09 September 2009 - 05:36 PM

The file is attached. Thanks so much for your help. Doug

Attached Files

  • Attached File  ark.txt   3.71KB   11 downloads


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 10 September 2009 - 12:27 AM

Please copy and paste the logs.

This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download install the Recovery Console.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


#5 dougie77

dougie77
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 10 September 2009 - 03:20 AM

Thank you so much for your reply. I tried running combo-fix and it prompted me to disable AVG Anti-virus free. I do not have this running on my system, so I am not sure why it is detecting this. I proceeded anyway and the log file is below. Please let me know what the next steps are. Thank you.

ComboFix 09-09-09.04 - Doug 09/10/2009 3:52.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.983 [GMT -4:00]
Running from: c:\documents and settings\Doug\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\All Users\Application Data\16925314
c:\documents and settings\All Users\Application Data\16925314\16925314
c:\documents and settings\All Users\Application Data\16925314\16925314.exe
c:\documents and settings\All Users\Application Data\16925314\pc16925314ins
c:\documents and settings\All Users\Application Data\digukuse.bin
c:\documents and settings\All Users\Application Data\hatu.inf
c:\documents and settings\All Users\Application Data\ipefydog.dl
c:\documents and settings\All Users\Application Data\konazec.bin
c:\documents and settings\All Users\Application Data\ojuxul.vbs
c:\documents and settings\All Users\Application Data\xugyfanec.bin
c:\documents and settings\All Users\Application Data\ykyruxu.scr
c:\documents and settings\All Users\Application Data\yniko._dl
c:\documents and settings\All Users\Documents\abokylifo.pif
c:\documents and settings\All Users\Documents\dapuv.bat
c:\documents and settings\All Users\Documents\erepebo.vbs
c:\documents and settings\All Users\Documents\igedigaq.dl
c:\documents and settings\All Users\Documents\kanal.dl
c:\documents and settings\All Users\Documents\lusyba.reg
c:\documents and settings\All Users\Documents\ninyso.reg
c:\documents and settings\All Users\Documents\orypit.dl
c:\documents and settings\All Users\Documents\otafozuj.reg
c:\documents and settings\All Users\Documents\qopi.inf
c:\documents and settings\All Users\Documents\qyzobyxuw.sys
c:\documents and settings\All Users\Documents\uzevu.bat
c:\documents and settings\All Users\Documents\yjaqasyqo.bin
c:\documents and settings\Doug\Application Data\cijyr.reg
c:\documents and settings\Doug\Application Data\cipyt.dl
c:\documents and settings\Doug\Application Data\dezyxeba.inf
c:\documents and settings\Doug\Application Data\dywato.vbs
c:\documents and settings\Doug\Application Data\isafopo.bin
c:\documents and settings\Doug\Application Data\kimejug.lib
c:\documents and settings\Doug\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Doug\Application Data\namywaqaf.pif
c:\documents and settings\Doug\Application Data\odyciny.vbs
c:\documents and settings\Doug\Application Data\orewil.scr
c:\documents and settings\Doug\Application Data\wiaserva.log
c:\documents and settings\Doug\Desktop\Total Security 2009.lnk
c:\documents and settings\Doug\Local Settings\Application Data\axygevu.inf
c:\documents and settings\Doug\Local Settings\Application Data\eceduqyke.sys
c:\documents and settings\Doug\Local Settings\Application Data\suvi.bat
c:\documents and settings\Doug\Local Settings\Application Data\uqitepyno.exe
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\doqusu.reg
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\esivufo._dl
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\evafuh.lib
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\gyjezemexu._dl
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\gyvyc._sy
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\ipuqi.dll
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\ixezimu.exe
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\kumun.inf
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\melexyjanu.dll
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\noteqat._sy
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\oxegyfyf.db
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\pereb.scr
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\pyvymyme.pif
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\qatumuva.db
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\qute.pif
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\tefebe.scr
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\utoto.com
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\zaky.scr
c:\documents and settings\Doug\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Doug\Start Menu\Programs\Startup\ikowin32.exe
c:\documents and settings\Doug\Start Menu\Programs\Total Security
c:\documents and settings\Doug\Start Menu\Programs\Total Security\Total Security 2009.lnk
c:\documents and settings\Doug\sys32_nov.exe
c:\program files\Common Files\biveriku.vbs
c:\program files\Common Files\coro.vbs
c:\program files\Common Files\etycu.bat
c:\program files\Common Files\gihomuham._dl
c:\program files\Common Files\itewed.inf
c:\program files\Common Files\obixa.vbs
c:\program files\Common Files\osigoh.vbs
c:\program files\Common Files\rizu.bat
c:\program files\Common Files\tucu.bin
c:\program files\Common Files\yqaquwatix.reg
c:\program files\Common Files\yqaxuxutu.reg
c:\program files\Common Files\zoxi.scr
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\recycler\S-1-5-21-117609710-1220945662-839522115-500
c:\recycler\S-1-5-21-197805175-239609729-1266631038-500
c:\recycler\S-1-5-21-2488279539-746389406-1546587689-500
c:\recycler\S-1-5-21-2539670841-3883834433-131152451-500
c:\recycler\S-1-5-21-3299103543-4284784342-3097835553-500
c:\recycler\S-1-5-21-3404511659-53796304-3560236098-500
c:\recycler\S-1-5-21-3732106624-3914212864-508585468-500
c:\recycler\S-1-5-21-3942435850-190315908-655303503-500
c:\recycler\S-1-5-21-4060633691-3468760093-925958171-500
c:\windows\9129837.exe
c:\windows\alytyxijot.reg
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\DRIVERS\beep.sys
c:\windows\ebihytyse.exe
c:\windows\exynyzis.sys
c:\windows\foce.inf
c:\windows\hukekifo.dl
c:\windows\kb913800.exe
c:\windows\nabanu.exe
c:\windows\nefymoqo.sys
c:\windows\negy.bin
c:\windows\ojomekir.reg
c:\windows\pesy.scr
c:\windows\setup.exe
c:\windows\sypiqeryp.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\404Fix.exe
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\debik.vbs
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\kesonygeno._dl
c:\windows\system32\losasuxi.inf
c:\windows\system32\nesejo.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sys32_nov.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wisdstr.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
c:\windows\tuvacovu.sys
c:\windows\umyqehudi.inf
c:\windows\uzosyti.scr
c:\windows\vygyguqawy.exe
c:\windows\ziqoj.pif

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{F6751740-EB65-4F51-9F4B-AC268B6E20CE}\RP1205\A0243114.sys

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\agp440.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_npf


((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 08:07 . 2009-09-10 08:07 17637 ----a-w- c:\documents and settings\Doug\Local Settings\Application Data\xoku.sys
2009-09-10 08:07 . 2009-09-10 08:07 13776 ----a-w- c:\documents and settings\Doug\Local Settings\Application Data\gidilifyna.pif
2009-09-10 08:07 . 2009-09-10 08:07 12952 ----a-w- c:\program files\Common Files\poxecihufe.exe
2009-09-10 08:07 . 2009-09-10 08:07 11638 ----a-w- c:\windows\ejajykisiv.reg
2009-09-10 08:07 . 2009-09-10 08:07 10269 ----a-w- c:\documents and settings\Doug\Local Settings\Application Data\muvyjolasu.bat
2009-09-09 22:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 00:30 . 2004-08-10 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-09-09 00:30 . 2009-09-09 00:30 19294 ----a-w- c:\windows\system32\ytutosym.com
2009-09-09 00:30 . 2009-09-09 00:30 18167 ----a-w- c:\windows\ymulefi.com
2009-09-08 23:38 . 2009-09-08 23:38 11340 ----a-w- c:\windows\katonogyq.dat
2009-09-08 23:38 . 2009-09-08 23:38 15010 ----a-w- c:\program files\Common Files\xuzyxebiwi.dat
2009-09-08 23:38 . 2009-09-10 07:39 -------- d-----w- c:\program files\AntivirusPro_2010
2009-09-04 02:35 . 2009-09-04 11:33 120 ----a-w- c:\windows\Cleya.dat
2009-09-04 02:09 . 2009-09-04 02:09 -------- d-----w- c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}
2009-08-15 07:04 . 2009-08-15 15:20 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-12 12:29 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 08:07 . 2009-09-10 08:07 13905 ----a-w- c:\documents and settings\All Users\Application Data\ulazapava.com
2009-09-10 08:07 . 2009-09-10 08:07 10241 ----a-w- c:\windows\vono.bin
2009-09-10 08:07 . 2009-09-10 08:07 10214 ----a-w- c:\program files\Common Files\hyrix.vbs
2009-09-10 08:07 . 2009-09-10 08:07 10079 ----a-w- c:\documents and settings\Doug\Local Settings\Application Data\ijusy.dat
2009-09-08 23:38 . 2009-09-08 23:38 13665 ----a-w- c:\program files\Common Files\ubakuk._sy
2009-09-08 22:49 . 2008-11-04 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 21:39 . 2007-03-01 03:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-15 15:27 . 2005-02-23 22:19 30128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:20 . 2009-08-06 23:18 -------- d-----w- c:\documents and settings\Doug\Application Data\iConcertCal
2009-08-05 09:01 . 2005-02-23 18:57 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 01:09 . 2008-08-13 20:32 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-03 17:36 . 2008-11-04 03:39 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-11-04 03:39 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2005-02-23 18:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 22:13 . 2007-06-02 17:19 -------- d-----w- c:\program files\iTunes
2009-07-15 22:13 . 2009-07-15 22:13 -------- d-----w- c:\program files\iPod
2009-07-15 22:13 . 2007-08-24 12:23 -------- d-----w- c:\program files\Common Files\Apple
2009-07-14 03:43 . 2005-02-23 18:57 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 23:37 . 2006-04-11 02:50 -------- d-----w- c:\documents and settings\Doug\Application Data\.BitTornado
2009-06-26 16:50 . 2005-02-23 18:57 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-02-23 18:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2005-02-23 18:57 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-02-23 18:57 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-02-23 18:57 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-02-23 18:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-02-23 18:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-02-23 18:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-02-23 18:56 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-02-23 18:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-02-23 18:56 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-02-23 18:57 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-02-23 18:57 76288 ----a-w- c:\windows\system32\telnet.exe
2008-11-08 22:05 . 2008-11-08 22:05 12393 ----a-w- c:\program files\Common Files\habydibu.dl
2008-11-07 23:33 . 2008-11-07 23:33 14737 ----a-w- c:\program files\Common Files\ojajajul.pif
2008-11-03 11:50 . 2008-11-03 11:50 14483 ----a-w- c:\program files\Common Files\tusyhow.db
2008-11-03 11:50 . 2008-11-03 11:50 19361 ----a-w- c:\program files\Common Files\ciji.scr
2008-11-03 11:50 . 2008-11-03 11:50 18954 ----a-w- c:\program files\Common Files\zymyvig.ban
2008-11-03 11:50 . 2008-11-03 11:50 11227 ----a-w- c:\program files\Common Files\qokyvuxim.scr
2008-11-03 11:50 . 2008-11-03 11:50 18322 ----a-w- c:\program files\Common Files\nujyq.ban
2008-11-03 11:50 . 2008-11-03 11:50 14554 ----a-w- c:\program files\Common Files\epamo._dl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"Everyday Auto Backup"="c:\program files\Everyday Auto Backup\AutoBackup.exe" [2007-07-19 68096]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"OWCWebCamDV"="c:\windows\system\wcdvtray.exe" [2004-05-20 1056768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Antivirus Pro 2010"="c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe" [2009-09-10 587776]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-11-29 2748928]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-10-08 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-08-02 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Everyday Auto Backup.lnk - c:\program files\Everyday Auto Backup\AutoBackup.exe [2007-10-16 68096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\WINDOWS\\mlbamplayer.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/29/2008 3:03 PM 24652]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [9/17/2004 10:38 AM 212608]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [9/17/2004 10:38 AM 12672]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/27/2008 10:09 AM 33752]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-10-24 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-02-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\ppnxso1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {D488A00A-B74B-4E84-B3E5-450ADC7C1851} - c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run-16925314 - c:\documents and settings\All Users\Application Data\16925314\16925314.exe
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 04:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\leze.lib 12508 bytes
c:\windows\system32\uqahi._dl 19865 bytes
c:\windows\system32\bakuw._sy 13541 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2712)
c:\windows\system32\nview.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dllhost.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-10 4:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 08:12

Pre-Run: 24,473,739,264 bytes free
Post-Run: 36,147,871,744 bytes free

364 --- E O F --- 2009-09-09 23:28

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 10 September 2009 - 03:58 AM

Well done and thanks for the feedback. :(
  • Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    http://www.bleepingcomputer.com/forums/t/256267/antiviruspro-2010/
    Collect::
    c:\documents and settings\Doug\Local Settings\Application Data\xoku.sys
    c:\documents and settings\Doug\Local Settings\Application Data\gidilifyna.pif
    c:\program files\Common Files\poxecihufe.exe
    c:\documents and settings\Doug\Local Settings\Application Data\muvyjolasu.bat
    c:\windows\system32\ytutosym.com
    c:\windows\ymulefi.com
    c:\windows\katonogyq.dat
    c:\program files\Common Files\xuzyxebiwi.dat
    c:\documents and settings\All Users\Application Data\ulazapava.com
    c:\windows\vono.bin
    c:\program files\Common Files\hyrix.vbs
    c:\documents and settings\Doug\Local Settings\Application Data\ijusy.dat
    c:\program files\Common Files\ubakuk._sy
    c:\windows\Cleya.dat
    c:\program files\Common Files\habydibu.dl
    c:\program files\Common Files\ojajajul.pif
    c:\program files\Common Files\tusyhow.db
    c:\program files\Common Files\ciji.scr
    c:\program files\Common Files\zymyvig.ban
    c:\program files\Common Files\qokyvuxim.scr
    c:\program files\Common Files\nujyq.ban
    c:\program files\Common Files\epamo._dl
    c:\windows\leze
    c:\windows\system32\uqahi._dl
    c:\windows\system32\bakuw._sy
    Folder::
    c:\program files\AntivirusPro_2010
    c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Antivirus Pro 2010"=-
    Firefox::
    FF - HiddenExtension: XUL Cache: {D488A00A-B74B-4E84-B3E5-450ADC7C1851} - c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}

    Save this as CFScript.txt


    Posted Image


    Referring to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you. Post that log in your next reply.

    **Important Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


#7 dougie77

dougie77
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:55 AM

Posted 10 September 2009 - 06:50 AM

Thanks again for your help. Here is the updated ComboFix log:

ComboFix 09-09-09.04 - Doug 09/10/2009 7:32.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1000 [GMT -4:00]
Running from: c:\documents and settings\Doug\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Doug\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\documents and settings\All Users\Application Data\ulazapava.com
file zipped: c:\documents and settings\Doug\Local Settings\Application Data\gidilifyna.pif
file zipped: c:\documents and settings\Doug\Local Settings\Application Data\ijusy.dat
file zipped: c:\documents and settings\Doug\Local Settings\Application Data\muvyjolasu.bat
file zipped: c:\documents and settings\Doug\Local Settings\Application Data\xoku.sys
file zipped: c:\program files\Common Files\ciji.scr
file zipped: c:\program files\Common Files\epamo._dl
file zipped: c:\program files\Common Files\habydibu.dl
file zipped: c:\program files\Common Files\hyrix.vbs
file zipped: c:\program files\Common Files\nujyq.ban
file zipped: c:\program files\Common Files\ojajajul.pif
file zipped: c:\program files\Common Files\poxecihufe.exe
file zipped: c:\program files\Common Files\qokyvuxim.scr
file zipped: c:\program files\Common Files\tusyhow.db
file zipped: c:\program files\Common Files\ubakuk._sy
file zipped: c:\program files\Common Files\xuzyxebiwi.dat
file zipped: c:\program files\Common Files\zymyvig.ban
file zipped: c:\windows\Cleya.dat
file zipped: c:\windows\katonogyq.dat
file zipped: c:\windows\system32\bakuw._sy
file zipped: c:\windows\system32\uqahi._dl
file zipped: c:\windows\system32\ytutosym.com
file zipped: c:\windows\vono.bin
file zipped: c:\windows\ymulefi.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\icigycy.lib
c:\documents and settings\All Users\Application Data\ulazapava.com
c:\documents and settings\All Users\Documents\kobavanoj._dl
c:\documents and settings\All Users\Documents\tejocike.ban
c:\documents and settings\Doug\Cookies\axekeponej.dl
c:\documents and settings\Doug\Cookies\gedybi.reg
c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}
c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}\chrome.manifest
c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}\chrome\content\_cfg.js
c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}\chrome\content\overlay.xul
c:\documents and settings\Doug\Local Settings\Application Data\{D488A00A-B74B-4E84-B3E5-450ADC7C1851}\install.rdf
c:\documents and settings\Doug\Local Settings\Application Data\azapu._dl
c:\documents and settings\Doug\Local Settings\Application Data\gidilifyna.pif
c:\documents and settings\Doug\Local Settings\Application Data\ijusy.dat
c:\documents and settings\Doug\Local Settings\Application Data\muvyjolasu.bat
c:\documents and settings\Doug\Local Settings\Application Data\xoku.sys
c:\documents and settings\Doug\Local Settings\Temporary Internet Files\pojuhalif._dl
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\AntivirusPro_2010\AVEngn.dll
c:\program files\AntivirusPro_2010\data\daily.cvd
c:\program files\AntivirusPro_2010\htmlayout.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntivirusPro_2010\pthreadVC2.dll
c:\program files\AntivirusPro_2010\Uninstall.exe
c:\program files\AntivirusPro_2010\wscui.cpl
c:\program files\Common Files\ciji.scr
c:\program files\Common Files\epamo._dl
c:\program files\Common Files\habydibu.dl
c:\program files\Common Files\hyrix.vbs
c:\program files\Common Files\nujyq.ban
c:\program files\Common Files\ojajajul.pif
c:\program files\Common Files\poxecihufe.exe
c:\program files\Common Files\qokyvuxim.scr
c:\program files\Common Files\tusyhow.db
c:\program files\Common Files\ubakuk._sy
c:\program files\Common Files\xuzyxebiwi.dat
c:\program files\Common Files\zymyvig.ban
c:\windows\Cleya.dat
c:\windows\deke.dl
c:\windows\ejajykisiv.reg
c:\windows\katonogyq.dat
c:\windows\system32\bakuw._sy
c:\windows\system32\uqahi._dl
c:\windows\system32\ytutosym.com
c:\windows\tapoqa.dl
c:\windows\vono.bin
c:\windows\ydeje.dl
c:\windows\ymulefi.com

.
((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-09 22:20 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-09 00:30 . 2004-08-10 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys
2009-08-15 07:04 . 2009-08-15 15:20 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-12 12:29 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 22:49 . 2008-11-04 03:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-21 21:39 . 2007-03-01 03:14 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-15 15:27 . 2005-02-23 22:19 30128 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:20 . 2009-08-06 23:18 -------- d-----w- c:\documents and settings\Doug\Application Data\iConcertCal
2009-08-05 09:01 . 2005-02-23 18:57 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 01:09 . 2008-08-13 20:32 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2009-08-03 17:36 . 2008-11-04 03:39 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2008-11-04 03:39 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-17 19:01 . 2005-02-23 18:56 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 22:13 . 2007-06-02 17:19 -------- d-----w- c:\program files\iTunes
2009-07-15 22:13 . 2009-07-15 22:13 -------- d-----w- c:\program files\iPod
2009-07-15 22:13 . 2007-08-24 12:23 -------- d-----w- c:\program files\Common Files\Apple
2009-07-14 03:43 . 2005-02-23 18:57 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 23:37 . 2006-04-11 02:50 -------- d-----w- c:\documents and settings\Doug\Application Data\.BitTornado
2009-06-26 16:50 . 2005-02-23 18:57 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2005-02-23 18:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2005-02-23 18:57 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-02-23 18:57 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-02-23 18:57 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-02-23 18:57 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-02-23 18:56 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-02-23 18:56 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-02-23 18:56 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-02-23 18:57 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-02-23 18:56 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2005-02-23 18:57 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-02-23 18:57 76288 ----a-w- c:\windows\system32\telnet.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-09-10_08.07.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-10 11:22 . 2009-09-10 11:22 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-03 389120]
"Everyday Auto Backup"="c:\program files\Everyday Auto Backup\AutoBackup.exe" [2007-07-19 68096]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-08 126976]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"OWCWebCamDV"="c:\windows\system\wcdvtray.exe" [2004-05-20 1056768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-11-29 2748928]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-10-08 88363]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-08-02 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Everyday Auto Backup.lnk - c:\program files\Everyday Auto Backup\AutoBackup.exe [2007-10-16 68096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Sony\\Click to DVD 2\\CtoDvd.exe"=
"c:\\WINDOWS\\mlbamplayer.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/29/2008 3:03 PM 24652]
R2 WebCamDV;WebCamDV DV to Webcam Converter;c:\windows\system32\drivers\WebCamDV.sys [9/17/2004 10:38 AM 212608]
R3 WCDV_Aud;WevCamDV WDM Virtual Audio Device;c:\windows\system32\drivers\wcdvaud.sys [9/17/2004 10:38 AM 12672]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/27/2008 10:09 AM 33752]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2005-10-24 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-02-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\ppnxso1v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 07:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-10 7:41
ComboFix-quarantined-files.txt 2009-09-10 11:40
ComboFix2.txt 2009-09-10 08:13

Pre-Run: 35,762,642,944 bytes free
Post-Run: 35,709,743,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

241 --- E O F --- 2009-09-09 23:28
Upload was successful

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

9/10/2009 7:49:52 AM
mbam-log-2009-09-10 (07-49-52).txt

Scan type: Quick Scan
Objects scanned: 104878
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thanks again for your help.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 10 September 2009 - 07:20 AM

Well done again. :(

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • Empty all p2p active download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  • Please update MBAM, you forgot to update it first. After update check the version under Update tab. It should read 2770 or above. Please run it with the same instruction again and post the log.

  • You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 13 September 2009 - 05:57 AM

Are you still there?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:02:55 PM

Posted 17 September 2009 - 04:41 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users