Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool won't leave! .exe's not downloading, malwarebytes will install but not run- errors.


  • This topic is locked This topic is locked
12 replies to this topic

#1 effingpcs

effingpcs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 18 October 2009 - 12:02 AM

I cannot see my destop items. I can only see the taskbar. At one point i had WIndows Police Pro and it wouldn't let me run task manager. I fixed that thru this site, but now cannot run Malwarebytes. I get warnings saying my computer is infected constantly from the toolbar and Security Tool and Anti Virus 2010 is still installed on here. Here is the DDS log.



DDS (Ver_09-10-13.01) - NTFSx86
Run by Brad Hanson at 22:45:48.62 on Sat 10/17/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.413 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Brad Hanson\Application Data\svcst.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\sony\usbsircs\usbsircs.exe
C:\Program Files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe
C:\Program Files\Sony\Giga Pocket\ReserveModule.exe
svchost.exe
C:\Documents and Settings\Brad Hanson\Application Data\seres.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Sony\Giga Pocket\gps.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brad Hanson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Insight Broadband
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\shared\_lib.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Sonic RecordNow!]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [mserv] c:\documents and settings\brad hanson\application data\svcst.exe
uRun: [svchost] c:\documents and settings\brad hanson\application data\svcst.exe
uRun: [calc] rundll32.exe c:\docume~1\bradha~1\ntuser.dll,_IWMPEvents@0
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [HKSERV.EXE] c:\program files\sony\hotkey utility\HKserv.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
mRun: [VMConsole.exe] c:\program files\sony\vaio media integrated server\platform\VMConsole.exe /windowmin
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Antivirus Pro 2010] "c:\program files\antiviruspro_2010\AntivirusPro_2010.exe" /hide
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [42196426] c:\documents and settings\all users\application data\42196426\42196426.exe
mRun: [98889345] c:\docume~1\alluse~1\applic~1\98889345\98889345.exe
mRun: [63067022] c:\docume~1\alluse~1\applic~1\63067022\63067022.exe
mRun: [jahameduz] Rundll32.exe "c:\windows\system32\vayihufi.dll",a
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\documents and settings\brad hanson\start menu\programs\startup\scandisk.dll
StartupFolder: c:\docume~1\bradha~1\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audiof~1.lnk - c:\program files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~3.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-5/myWebFaceInitialSetup1.0.1.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103583281069
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8F24DE00-0D66-4F93-9405-3F21E97AEE99} - hxxp://esb.alcena.com/ESBAdultInstaller.ocx
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: text/html - {31f5896d-7be2-42ff-884d-52a3d4c14d9e} - c:\windows\mark_32.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: cru629.dat fasihebu.dll c:\windows\system32\vayihufi.dll
SSODL: flammei - {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - c:\windows\system32\vcehaeb.dll
SSODL: momulayum - {c2ede09f-5eef-4cb0-8638-c953272643e3} - c:\windows\system32\vayihufi.dll
STS: flammei: {9d635a36-6b3c-4146-8625-f3aaf507bbf8} - c:\windows\system32\vcehaeb.dll
STS: jugezatag: {c2ede09f-5eef-4cb0-8638-c953272643e3} - c:\windows\system32\vayihufi.dll
LSA: Notification Packages = scecli lonafaze.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1000000.07d\SymEFA.sys [2008-10-21 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1000000.07d\BHDrvx86.sys [2008-10-21 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1000000.07d\ccHPx86.sys [2008-10-21 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20081031.001\IDSxpx86.sys [2008-10-31 274808]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.0.0.125\ccSvcHst.exe [2008-10-21 115560]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-8-16 118877]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2004-8-13 71961]
S2 gupdate1c9ddab1317fa50;Google Update Service (gupdate1c9ddab1317fa50);c:\program files\google\update\GoogleUpdate.exe [2009-5-25 133104]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2004-8-14 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [2004-8-14 7520]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-10-17 22:38 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-17 22:38 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-17 22:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-17 18:34 4,045,544 ac------ C:\mbam-setup.exe
2009-10-17 18:08 3,550,592 ac------ C:\explorer.exe
2009-10-16 18:21 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\63067022
2009-10-13 23:11 <DIR> --d----- c:\windows\system32\schtml
2009-10-13 23:09 4 a------- c:\windows\system32\bincd32.dat
2009-10-13 23:08 434,688 a------- c:\windows\svchast.exe
2009-10-13 23:08 58 a------- c:\windows\wf4.dat
2009-10-13 23:08 1 a------- c:\windows\wf3.dat
2009-10-13 23:08 553,472 a------- c:\windows\system32\pump.exe
2009-10-13 23:08 94 a------- c:\windows\system32\wwp.htm
2009-10-13 23:06 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\98889345
2009-10-13 23:06 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\42196426
2009-10-13 23:05 <DIR> --d----- c:\program files\Windows Police Pro
2009-10-13 23:05 17,108 ac------ c:\docume~1\alluse~1\applic~1\ofoq.reg
2009-10-13 23:05 15,653 ac------ c:\docume~1\alluse~1\applic~1\pijo.sys
2009-10-13 23:05 13,926 ac------ c:\docume~1\alluse~1\applic~1\axuxab.reg
2009-10-13 23:05 19,513 a------- c:\docume~1\bradha~1\applic~1\pipez.scr
2009-10-13 23:05 19,196 a------- c:\windows\system32\ajabi.bin
2009-10-13 23:05 18,586 a------- c:\docume~1\bradha~1\applic~1\ziqimyvu.bin
2009-10-13 23:05 17,297 a------- c:\windows\system32\lydijyc.sys
2009-10-13 23:05 16,979 a------- c:\docume~1\bradha~1\applic~1\laqewecyb.vbs
2009-10-13 23:05 16,707 a------- c:\docume~1\bradha~1\applic~1\qywuzogul.sys
2009-10-13 23:05 13,552 a------- c:\docume~1\bradha~1\applic~1\awijicyji.com
2009-10-13 23:05 13,503 a------- c:\windows\ykixujyxuf.reg
2009-10-13 23:05 12,204 a------- c:\windows\odasoh.scr
2009-10-13 23:05 11,716 a------- c:\windows\efofyqym.lib
2009-10-13 23:05 11,705 a------- c:\windows\nuxyhy.dll
2009-10-13 23:05 10,299 a------- c:\windows\enotusimeg.db
2009-10-13 23:04 169,984 a------- c:\windows\system32\_scui.cpl
2009-10-13 23:04 <DIR> --d----- c:\program files\AntivirusPro_2010
2009-10-13 23:04 232,560 a------- c:\docume~1\bradha~1\applic~1\lizkavd.exe
2009-10-13 23:00 46 ac------ C:\p2hhr.bat
2009-10-13 23:00 79,360 ac------ C:\jboy.exe
2009-10-13 23:00 25,088 a--sh--- c:\windows\system32\calc.dll
2009-10-13 23:00 25,088 a--sh--- c:\documents and settings\brad hanson\ntuser.dll
2009-10-13 23:00 9,216 ac------ C:\svhkapw.exe
2009-10-13 23:00 15,000 a------- c:\windows\system32\sbmunda0.dll
2009-10-13 23:00 100,352 ac------ C:\lyqr.exe
2009-10-13 23:00 24,064 ac------ C:\nmihj.exe
2009-10-13 23:00 19,456 ac------ C:\cwxa.exe
2009-10-13 23:00 53,248 ac------ C:\riyxlqe.exe
2009-10-13 23:00 31,232 ac------ C:\iytcqy.exe
2009-10-13 23:00 273,920 a------- c:\docume~1\bradha~1\applic~1\svcst.exe
2009-10-13 23:00 273,920 a------- c:\docume~1\bradha~1\applic~1\seres.exe
2009-10-13 23:00 316,416 a------- c:\windows\system32\~.exe

==================== Find3M ====================

2009-10-13 23:05 11,414 a------- c:\program files\common files\emotira.ban
2009-09-10 15:05 18,249 ac------ c:\docume~1\alluse~1\applic~1\ahahuvitir.sys
2009-09-10 15:05 14,606 a------- c:\windows\ezehire.reg
2009-09-10 15:05 12,488 a------- c:\program files\common files\tiqiny.lib
2009-09-10 15:05 16,467 ac------ c:\docume~1\alluse~1\applic~1\fexarokapy.scr
2009-09-10 15:05 16,034 ac------ c:\docume~1\alluse~1\applic~1\sizusa.reg
2009-09-10 15:05 19,913 a------- c:\windows\wedipycozo.bat
2009-09-10 15:05 18,475 a------- c:\docume~1\bradha~1\applic~1\raro.bat
2009-09-10 15:05 16,805 a------- c:\windows\wulicyqe.dll
2009-09-10 15:05 11,004 a------- c:\program files\common files\paten._dl
2009-08-24 21:01 19,439 a------- c:\windows\julycij.dll
2009-08-24 21:01 18,739 a------- c:\program files\common files\afutivaj.dat
2009-08-24 21:01 17,171 a------- c:\windows\nahuduqon.pif
2009-08-24 21:01 13,496 a------- c:\program files\common files\ebivagyb._sy
2009-08-24 21:01 11,852 a------- c:\program files\common files\bezuhewigo.pif
2009-08-24 21:01 11,464 a------- c:\windows\ywarizoci.scr
2009-08-24 21:01 11,109 a------- c:\docume~1\bradha~1\applic~1\ipokovyjop.dat
2009-08-24 21:01 10,414 a------- c:\windows\yxisufytob.bin
2009-08-24 21:01 10,386 a------- c:\windows\tijoququhe.com
2009-08-05 04:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2006-10-30 21:31 774,144 ac------ c:\program files\RngInterstitial.dll
2009-07-14 19:14 39,424 a--sh--- c:\windows\system32\bebuviza.dll
2009-07-17 17:40 1,089,058 a--sh--- c:\windows\system32\bupuyafo.exe
2009-07-17 17:40 39,424 a--sh--- c:\windows\system32\dukotova.dll
2009-07-14 19:14 54,272 a--sh--- c:\windows\system32\fasihebu.dll
2009-07-14 19:14 25,600 a--sh--- c:\windows\system32\filokinu.exe
2009-07-15 08:52 39,424 a--sh--- c:\windows\system32\gajukilu.dll
2009-07-15 22:17 39,424 a--sh--- c:\windows\system32\gezokije.dll
2009-07-13 23:05 1,050,659 a--sh--- c:\windows\system32\gitalobo.exe
2009-07-14 19:14 54,272 a--sh--- c:\windows\system32\govegomu.dll
2009-07-13 23:05 90,624 a--sh--- c:\windows\system32\jumayiya.dll
2009-07-14 19:14 54,272 a--sh--- c:\windows\system32\lonafaze.dll
2009-07-15 08:52 1,117,124 a--sh--- c:\windows\system32\lorizuzu.exe
2009-07-14 19:14 54,272 a--sh--- c:\windows\system32\ripeyoji.dll
2009-07-16 18:21 90,624 a--sh--- c:\windows\system32\tahisepi.dll
2009-07-16 18:21 39,424 a--sh--- c:\windows\system32\tuwihavo.dll
2009-07-17 17:40 90,624 a--sh--- c:\windows\system32\vayihufi.dll
2009-07-16 18:21 1,111,915 a--sh--- c:\windows\system32\wawavara.exe
2009-07-13 23:05 39,424 a--sh--- c:\windows\system32\yizuwedu.dll
2009-07-13 23:05 1,011,605 a--sh--- c:\windows\system32\yizuwedu.exe
2009-07-15 22:17 1,114,048 a--sh--- c:\windows\system32\yufobata.exe

============= FINISH: 22:47:52.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 October 2009 - 05:58 AM

Posted Image

Hi, welcome to the BC Forums. My username is Raktor, and I would be glad to take a look at your log.
Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advice.
This may cause a delay, but I will do my best to keep it as short as possible.

I will be back to you shortly with instructions. :(
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 October 2009 - 09:04 PM

Hi, welcome to the BC Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:
  • Absence of symptoms does not always mean the computer is clean
  • Please do not run any scans or fixes without my direction.
  • Finally, stay with this topic until I give you the final 'All clear' post.
1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

2) Combofix
Download Combofix from any of the links below but rename it to paperclip.exe before saving it to your desktop.

Link 1
Link 2


==================================

Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.
3) What You Will Need To Post:
  • exeHelper log
  • Combofix log

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#4 effingpcs

effingpcs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 19 October 2009 - 05:05 PM

thank you for helping me.

exehelperlog:

exeHelper by Raktor
Build 20091018
Run at 16:25:32 on 10/19/09
Now searching...
Checking for numerical processes...
Deleting file C:\Documents and Settings\All Users\Application Data\42196426\42196426.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\42196426
Deleting file C:\Documents and Settings\All Users\Application Data\63067022\63067022.exe
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63067022
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\svchast.exe
Deleting file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\bincd32.dat
Deleting file C:\WINDOWS\system32\pump.exe
Deleting file C:\WINDOWS\system32\calc.dll
Error deleting C:\WINDOWS\system32\calc.dll
Deleting file C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe
Deleting file C:\Documents and Settings\Brad Hanson\ntuser.dll
Checking for bad registry entries...
Removing HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc
Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antivirus Pro 2010
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



combofix log:

ComboFix 09-10-19.01 - Brad Hanson 10/19/2009 16:44.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.680 [GMT -5:00]
Running from: c:\documents and settings\Brad Hanson\Desktop\paperclip.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
.
The following files were disabled during the run:
c:\windows\system32\SSMSFltr.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\98889345
c:\documents and settings\All Users\Application Data\98889345\98889345.exe
c:\documents and settings\All Users\Application Data\axuxab.reg
c:\documents and settings\All Users\Application Data\ofoq.reg
c:\documents and settings\All Users\Application Data\pijo.sys
c:\documents and settings\All Users\Application Data\sizusa.reg
c:\documents and settings\All Users\Documents\uhon.vbs
c:\documents and settings\All Users\Documents\uqipu._dl
c:\documents and settings\All Users\Documents\zugemeheh._sy
c:\documents and settings\Brad Hanson\Application Data\awijicyji.com
c:\documents and settings\Brad Hanson\Application Data\iniasd.txt
c:\documents and settings\Brad Hanson\Application Data\laqewecyb.vbs
c:\documents and settings\Brad Hanson\Application Data\lizkavd.exe
c:\documents and settings\Brad Hanson\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Brad Hanson\Application Data\pipez.scr
c:\documents and settings\Brad Hanson\Application Data\qywuzogul.sys
c:\documents and settings\Brad Hanson\Application Data\raro.bat
c:\documents and settings\Brad Hanson\Application Data\seres.exe
c:\documents and settings\Brad Hanson\Application Data\svcst.exe
c:\documents and settings\Brad Hanson\Application Data\ziqimyvu.bin
c:\documents and settings\Brad Hanson\Cookies\anava.reg
c:\documents and settings\Brad Hanson\Cookies\esigatabib.dl
c:\documents and settings\Brad Hanson\Cookies\kymi.reg
c:\documents and settings\Brad Hanson\Cookies\univygupyd.scr
c:\documents and settings\Brad Hanson\Cookies\xuka.dll
c:\documents and settings\Brad Hanson\Desktop\Security Tool.lnk
c:\documents and settings\Brad Hanson\Local Settings\Application Data\obafoxaju.dll
c:\documents and settings\Brad Hanson\Local Settings\Application Data\rakyw.com
c:\documents and settings\Brad Hanson\Local Settings\Application Data\ufogozesy.inf
c:\documents and settings\Brad Hanson\Local Settings\Application Data\ytuham.exe
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\fikokexez.inf
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\fuwudyni.lib
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\gobo.scr
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\ofycedy._sy
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\pivoqyw.exe
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\wuzuloxezu.dat
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\yhusazuh.reg
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\ykex.com
c:\documents and settings\Brad Hanson\Local Settings\Temporary Internet Files\yqyzivopa.dat
c:\documents and settings\Brad Hanson\ntuser.dll
c:\documents and settings\Brad Hanson\Start Menu\Programs\Security Tool.lnk
c:\documents and settings\Brad Hanson\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Brad Hanson\Start Menu\Programs\Startup\scandisk.lnk
C:\explorer.exe
C:\p2hhr.bat
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\Common Files\emotira.ban
c:\program files\Shared\_lib.dll
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\recycler\S-1-5-21-2000478354-688789844-854245398-1003
c:\recycler\S-1-5-21-2199401957-2809494133-1451187707-1003
c:\recycler\S-1-5-21-2439543660-19050927-583048807-1003
c:\recycler\S-1-5-21-2463139515-1481026718-850394113-1003
c:\recycler\S-1-5-21-3444987919-1690889650-2838118241-1003
c:\recycler\S-1-5-21-3462227264-1673199333-3525804930-1003
c:\recycler\S-1-5-21-3840681353-2081936450-3881595301-1003
c:\recycler\S-1-5-21-4036666833-22613628-509585709-1003
c:\recycler\S-1-5-21-4085103501-2265890105-2952476623-1003
c:\recycler\S-1-5-21-565055364-3504331643-3563165500-1003
c:\recycler\S-1-5-21-782344975-1939048165-345496721-1003
c:\windows\DRIVERS\beep.sys
c:\windows\ezehire.reg
c:\windows\jestertb.dll
c:\windows\julycij.dll
c:\windows\mark_32.dll
c:\windows\nuxyhy.dll
c:\windows\odasoh.scr
c:\windows\ojis.inf
c:\windows\oqiqokurom.inf
c:\windows\setup.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\ajabi.bin
c:\windows\system32\bebuviza.dll
c:\windows\system32\bimefili.dll
c:\windows\system32\calc.dll
c:\windows\system32\dce4c5c1-af59-5459-b62c-51a1a6f376fa.exe
c:\windows\system32\drivers\gasfkyvmlhmlrs.sys
c:\windows\system32\dukotova.dll
c:\windows\system32\fasihebu.dll
c:\windows\system32\gajukilu.dll
c:\windows\system32\gasfkyakvviqje.dat
c:\windows\system32\gasfkygmobwwhi.dll
c:\windows\system32\gasfkyurthltpq.dat
c:\windows\system32\gasfkywyvppwnb.dll
c:\windows\system32\gasfkyxtnpmofu.dll
c:\windows\system32\gezokije.dll
c:\windows\system32\gitalobo.exe
c:\windows\system32\govegomu.dll
c:\windows\system32\hodajupi.exe
c:\windows\system32\jipolone.dll.tmp
c:\windows\system32\jumayiya.dll
c:\windows\system32\lonafaze.dll
c:\windows\system32\lydijyc.sys
c:\windows\system32\ripeyoji.dll
c:\windows\system32\sbmunda0.dll
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\tahisepi.dll
c:\windows\system32\tuwihavo.dll
c:\windows\system32\vayihufi.dll
c:\windows\system32\vebesade.dll.tmp
c:\windows\system32\wawavara.exe
c:\windows\system32\yizuwedu.dll
c:\windows\system32\yizuwedu.exe
c:\windows\system32\zugikuhi.dll.tmp
c:\windows\wedipycozo.bat
c:\windows\wf3.dat
c:\windows\wf4.dat
c:\windows\wulicyqe.dll
c:\windows\ykixujyxuf.reg
c:\windows\ywarizoci.scr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkyodoymyhx
-------\Legacy_gasfkyodoymyhx
-------\Legacy_ANTIPOL


((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-18 03:38 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 03:38 . 2009-10-18 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 03:38 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 23:34 . 2009-10-17 23:34 4045544 -c--a-w- C:\mbam-setup.exe
2009-10-16 23:21 . 2009-10-19 21:25 -------- dc----w- c:\documents and settings\All Users\Application Data\63067022
2009-10-14 04:06 . 2009-10-19 21:25 -------- dc----w- c:\documents and settings\All Users\Application Data\42196426
2009-10-14 04:00 . 2009-10-14 04:00 79360 -c--a-w- C:\jboy.exe
2009-10-14 04:00 . 2009-10-14 04:00 9216 -c--a-w- C:\svhkapw.exe
2009-10-14 04:00 . 2009-10-14 04:00 100352 -c--a-w- C:\lyqr.exe
2009-10-14 04:00 . 2009-10-14 04:00 24064 -c--a-w- C:\nmihj.exe
2009-10-14 04:00 . 2009-10-14 04:00 19456 -c--a-w- C:\cwxa.exe
2009-10-14 04:00 . 2009-10-14 04:00 53248 -c--a-w- C:\riyxlqe.exe
2009-10-14 04:00 . 2009-10-14 04:00 31232 -c--a-w- C:\iytcqy.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 21:50 . 2009-08-15 19:22 -------- d-----w- c:\program files\Shared
2009-09-10 20:05 . 2009-09-10 20:05 18249 -c--a-w- c:\documents and settings\All Users\Application Data\ahahuvitir.sys
2009-09-10 20:05 . 2009-09-10 20:05 16312 ----a-w- c:\documents and settings\Brad Hanson\Local Settings\Application Data\omoletow.com
2009-09-10 20:05 . 2009-09-10 20:05 12488 ----a-w- c:\program files\Common Files\tiqiny.lib
2009-09-10 20:05 . 2009-09-10 20:05 16467 -c--a-w- c:\documents and settings\All Users\Application Data\fexarokapy.scr
2009-09-10 20:05 . 2009-09-10 20:05 11004 ----a-w- c:\program files\Common Files\paten._dl
2009-08-25 02:45 . 2009-08-25 02:45 -------- d-----w- c:\documents and settings\Brad Hanson\Application Data\Malwarebytes
2009-08-25 02:44 . 2009-08-25 02:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-25 02:01 . 2009-08-25 02:01 18739 ----a-w- c:\program files\Common Files\afutivaj.dat
2009-08-25 02:01 . 2009-08-25 02:01 17699 ----a-w- c:\documents and settings\Brad Hanson\Local Settings\Application Data\aziramux.dll
2009-08-25 02:01 . 2009-08-25 02:01 17171 ----a-w- c:\windows\nahuduqon.pif
2009-08-25 02:01 . 2009-08-25 02:01 13496 ----a-w- c:\program files\Common Files\ebivagyb._sy
2009-08-25 02:01 . 2009-08-25 02:01 11852 ----a-w- c:\program files\Common Files\bezuhewigo.pif
2009-08-25 02:01 . 2009-08-25 02:01 11109 ----a-w- c:\documents and settings\Brad Hanson\Application Data\ipokovyjop.dat
2009-08-25 02:01 . 2009-08-25 02:01 10414 ----a-w- c:\windows\yxisufytob.bin
2009-08-25 02:01 . 2009-08-25 02:01 10386 ----a-w- c:\windows\tijoququhe.com
2009-08-05 09:11 . 2004-08-14 02:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2006-10-31 02:31 . 2006-10-31 02:32 774144 -c--a-w- c:\program files\RngInterstitial.dll
2009-07-17 22:40 . 2009-07-17 22:40 1089058 --sha-w- c:\windows\system32\bupuyafo.exe
2009-07-19 21:22 . 2009-07-19 21:22 27648 --sha-w- c:\windows\system32\doneluvo.exe
2009-07-15 00:14 . 2009-07-15 00:14 25600 --sha-w- c:\windows\system32\filokinu.exe
2009-07-19 21:22 . 2009-07-19 21:22 3 --sha-w- c:\windows\system32\giyesewu.dll
2009-07-15 13:52 . 2009-07-15 13:52 1117124 --sha-w- c:\windows\system32\lorizuzu.exe
2009-07-19 21:22 . 2009-07-19 21:22 193544 --sha-w- c:\windows\system32\wegahuwe.exe
2009-07-16 03:17 . 2009-07-16 03:17 1114048 --sha-w- c:\windows\system32\yufobata.exe
2009-07-19 21:22 . 2009-07-19 21:22 1051682 --sha-w- c:\windows\system32\zizakohe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2003-09-20 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2004-06-30 180224]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-06-29 122880]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2004-08-03 294912]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2004-07-30 331776]
"VMConsole.exe"="c:\program files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe" [2004-06-24 557056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-31 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2004-12-16 2707456]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2004-8-18 229376]
Timer Recording Manager.lnk - c:\program files\Sony\Giga Pocket\ReserveModule.exe [2004-8-18 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=SSMSFltr.dll
"mixer1"=SSMSFltr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\2.0\\Apps\\PhotoshopAlbum.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3791:UDP"= 3791:UDP:Windows Media Format SDK (iexplore.exe)
"3790:UDP"= 3790:UDP:Windows Media Format SDK (iexplore.exe)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [10/21/2008 1:03 PM 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [10/21/2008 1:03 PM 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [10/21/2008 1:03 PM 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081031.001\IDSxpx86.sys [10/31/2008 12:43 PM 274808]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [10/21/2008 1:03 PM 115560]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [8/16/2004 10:41 PM 118877]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [8/13/2004 9:38 PM 71961]
S2 gupdate1c9ddab1317fa50;Google Update Service (gupdate1c9ddab1317fa50);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2009 9:38 PM 133104]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [8/14/2004 11:35 AM 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [8/14/2004 11:35 AM 7520]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-26 02:36]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 02:38]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 02:38]

2009-10-18 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-14 23:26]

2009-10-19 c:\windows\Tasks\User_Feed_Synchronization-{B5D52FBE-8FF2-4F0B-BE11-78DB0A963225}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{544bfe5c-2396-48c3-8059-ab6ceaf61211} - ripeyoji.dll
HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-98889345 - c:\docume~1\ALLUSE~1\APPLIC~1\98889345\98889345.exe
HKLM-Run-jahameduz - c:\windows\system32\bimefili.dll
HKLM-Run-napubefavi - lonafaze.dll
SharedTaskScheduler-{4173061a-73c0-4597-980d-97397a43c522} - c:\windows\system32\bimefili.dll
SSODL-sutajilad-{4173061a-73c0-4597-980d-97397a43c522} - c:\windows\system32\bimefili.dll
AddRemove-dce4c5c1-af59-5459-b62c-51a1a6f376fa - c:\windows\system32\dce4c5c1-af59-5459-b62c-51a1a6f376fa.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 16:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3812)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\paperclip\CF28329.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Sony\Giga Pocket\shwserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Sony\VAIO Media Integrated Server\VMISrv.exe
c:\windows\ATK0100\ATKOSD.exe
c:\windows\system32\rundll32.exe
c:\program files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Sony\HotKey Utility\HKWnd.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
c:\program files\Microsoft Office\Office\1033\MSOFFICE.EXE
c:\program files\Sony\Giga Pocket\gps.exe
c:\program files\Sony\Giga Pocket\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jucheck.exe
c:\windows\SoftwareDistribution\Download\Install\NDP1.1sp1-KB953297-X86.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\msiexec.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\CLTLMH.EXE
.
**************************************************************************
.
Completion time: 2009-10-19 17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-19 21:59

Pre-Run: 35,720,056,832 bytes free
Post-Run: 36,101,103,616 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9FA1B6E48789B0F1F2A1E2CC9312CC41

#5 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 20 October 2009 - 07:42 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://www.bleepingcomputer.com/forums/ind...howtopic=265168

Collect::
C:\jboy.exe
C:\svhkapw.exe
C:\lyqr.exe
C:\nmihj.exe
C:\cwxa.exe
C:\riyxlqe.exe
C:\iytcqy.exe
c:\documents and settings\All Users\Application Data\ahahuvitir.sys
c:\documents and settings\Brad Hanson\Local Settings\Application Data\omoletow.com
c:\program files\Common Files\tiqiny.lib
c:\documents and settings\All Users\Application Data\fexarokapy.scr
c:\program files\Common Files\paten._dl
c:\program files\Common Files\afutivaj.dat
c:\documents and settings\Brad Hanson\Local Settings\Application Data\aziramux.dll
c:\windows\nahuduqon.pif
c:\program files\Common Files\ebivagyb._sy
c:\program files\Common Files\bezuhewigo.pif
c:\documents and settings\Brad Hanson\Application Data\ipokovyjop.dat
c:\windows\yxisufytob.bin
c:\windows\tijoququhe.com
c:\windows\system32\bupuyafo.exe
c:\windows\system32\doneluvo.exe
c:\windows\system32\filokinu.exe
c:\windows\system32\giyesewu.dll
c:\windows\system32\lorizuzu.exe
c:\windows\system32\wegahuwe.exe
c:\windows\system32\yufobata.exe
c:\windows\system32\zizakohe.exe

Folder::
c:\documents and settings\All Users\Application Data\63067022
c:\documents and settings\All Users\Application Data\42196426

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 1


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#6 effingpcs

effingpcs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 21 October 2009 - 02:59 PM

i did all that- do i post the log? or did it upload automatically?

#7 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 21 October 2009 - 04:41 PM

Please post the new log. :(
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#8 effingpcs

effingpcs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 21 October 2009 - 07:32 PM

ComboFix 09-10-19.01 - Brad Hanson 10/21/2009 14:46.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.645 [GMT -5:00]
Running from: c:\documents and settings\Brad Hanson\Desktop\paperclip.exe
Command switches used :: c:\documents and settings\Brad Hanson\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

file zipped: C:\cwxa.exe
file zipped: c:\documents and settings\All Users\Application Data\ahahuvitir.sys
file zipped: c:\documents and settings\All Users\Application Data\fexarokapy.scr
file zipped: c:\documents and settings\Brad Hanson\Application Data\ipokovyjop.dat
file zipped: c:\documents and settings\Brad Hanson\Local Settings\Application Data\aziramux.dll
file zipped: c:\documents and settings\Brad Hanson\Local Settings\Application Data\omoletow.com
file zipped: C:\iytcqy.exe
file zipped: C:\jboy.exe
file zipped: C:\lyqr.exe
file zipped: C:\nmihj.exe
file zipped: c:\program files\Common Files\afutivaj.dat
file zipped: c:\program files\Common Files\bezuhewigo.pif
file zipped: c:\program files\Common Files\ebivagyb._sy
file zipped: c:\program files\Common Files\paten._dl
file zipped: c:\program files\Common Files\tiqiny.lib
file zipped: C:\riyxlqe.exe
file zipped: C:\svhkapw.exe
file zipped: c:\windows\nahuduqon.pif
file zipped: c:\windows\system32\bupuyafo.exe
file zipped: c:\windows\system32\doneluvo.exe
file zipped: c:\windows\system32\filokinu.exe
file zipped: c:\windows\system32\giyesewu.dll
file zipped: c:\windows\system32\lorizuzu.exe
file zipped: c:\windows\system32\wegahuwe.exe
file zipped: c:\windows\system32\yufobata.exe
file zipped: c:\windows\system32\zizakohe.exe
file zipped: c:\windows\tijoququhe.com
file zipped: c:\windows\yxisufytob.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cwxa.exe
c:\documents and settings\All Users\Application Data\42196426
c:\documents and settings\All Users\Application Data\42196426\42196426.bat
c:\documents and settings\All Users\Application Data\63067022
c:\documents and settings\All Users\Application Data\ahahuvitir.sys
c:\documents and settings\All Users\Application Data\fexarokapy.scr
c:\documents and settings\Brad Hanson\Application Data\ipokovyjop.dat
c:\documents and settings\Brad Hanson\Local Settings\Application Data\aziramux.dll
c:\documents and settings\Brad Hanson\Local Settings\Application Data\omoletow.com
C:\iytcqy.exe
C:\jboy.exe
C:\lyqr.exe
C:\nmihj.exe
c:\program files\Common Files\afutivaj.dat
c:\program files\Common Files\bezuhewigo.pif
c:\program files\Common Files\ebivagyb._sy
c:\program files\Common Files\paten._dl
c:\program files\Common Files\tiqiny.lib
c:\program files\Shared
C:\riyxlqe.exe
C:\svhkapw.exe
c:\windows\nahuduqon.pif
c:\windows\system32\bupuyafo.exe
c:\windows\system32\doneluvo.exe
c:\windows\system32\filokinu.exe
c:\windows\system32\giyesewu.dll
c:\windows\system32\lorizuzu.exe
c:\windows\system32\wegahuwe.exe
c:\windows\system32\yufobata.exe
c:\windows\system32\zizakohe.exe
c:\windows\tijoququhe.com
c:\windows\yxisufytob.bin

.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-20 00:28 . 2009-10-20 00:28 -------- d-----w- c:\documents and settings\Brad Hanson\Local Settings\Application Data\PCHealth
2009-10-18 03:38 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 03:38 . 2009-10-18 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 03:38 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-17 23:34 . 2009-10-17 23:34 4045544 -c--a-w- C:\mbam-setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-11 14:33 . 2004-08-14 02:37 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-14 02:37 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-08-14 02:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 02:45 . 2009-08-25 02:45 -------- d-----w- c:\documents and settings\Brad Hanson\Application Data\Malwarebytes
2009-08-25 02:44 . 2009-08-25 02:44 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-05 09:11 . 2004-08-14 02:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2004-08-14 02:37 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-03 22:59 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2006-10-31 02:31 . 2006-10-31 02:32 774144 -c--a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-19_21.53.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-21 19:33 . 2009-10-21 19:33 16384 c:\windows\Temp\Perflib_Perfdata_278.dat
+ 2004-12-16 23:10 . 2004-07-27 02:20 81920 c:\windows\system32\SSMSFltr.dll
+ 2009-09-04 20:45 . 2009-09-04 20:45 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2009-08-07 00:24 . 2009-08-07 00:24 44768 c:\windows\SoftwareDistribution\SelfUpdate\Default\wups2.dll
+ 2009-08-07 00:24 . 2009-08-07 00:24 35552 c:\windows\SoftwareDistribution\SelfUpdate\Default\wups.dll
+ 2009-08-07 00:24 . 2009-08-07 00:24 53472 c:\windows\SoftwareDistribution\SelfUpdate\Default\wuauclt.exe
+ 2009-08-07 00:24 . 2009-08-07 00:24 96480 c:\windows\SoftwareDistribution\SelfUpdate\Default\cdm.dll
+ 2009-06-25 00:56 . 2009-06-25 00:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2008-05-28 05:49 . 2008-05-28 05:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2007-04-14 02:30 . 2007-04-14 02:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2009-10-20 00:24 . 2009-10-20 00:24 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_f824791f\System.Drawing.Design.dll
+ 2009-10-20 00:24 . 2009-10-20 00:24 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_bb412ab6\CustomMarshalers.dll
+ 2004-08-14 02:37 . 2009-04-10 06:01 530280 c:\windows\system32\wmspdmod.dll
+ 2004-08-14 02:37 . 2009-04-10 06:01 530280 c:\windows\system32\dllcache\wmspdmod.dll
+ 2004-08-14 02:37 . 2009-08-26 08:16 247326 c:\windows\system32\dllcache\strmdll.dll
- 2004-08-14 02:37 . 2008-10-03 10:15 247326 c:\windows\system32\dllcache\strmdll.dll
- 2009-06-25 08:44 . 2009-06-25 08:44 133632 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-06-25 08:44 . 2009-09-11 14:33 133632 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-08-07 00:24 . 2009-08-07 00:24 209632 c:\windows\SoftwareDistribution\SelfUpdate\Default\wuweb.dll
+ 2009-08-07 00:24 . 2009-08-07 00:24 327896 c:\windows\SoftwareDistribution\SelfUpdate\Default\wucltui.dll
+ 2009-08-07 00:23 . 2009-08-07 00:23 575704 c:\windows\SoftwareDistribution\SelfUpdate\Default\wuapi.dll
+ 2008-05-28 05:49 . 2008-05-28 05:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:58 . 2007-04-14 01:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2007-04-14 01:56 . 2007-04-14 01:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 06:30 . 2008-05-28 06:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 02:30 . 2007-04-14 02:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_cf287bee\System.Drawing.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_c0972d31\System.Drawing.Design.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_175d872c\CustomMarshalers.dll
+ 2009-10-14 03:54 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2004-08-14 02:37 . 2009-07-17 16:27 1435648 c:\windows\system32\query.dll
- 2004-08-14 02:37 . 2006-06-22 05:06 1435648 c:\windows\system32\query.dll
+ 2004-08-14 02:37 . 2009-07-17 16:27 1435648 c:\windows\system32\dllcache\query.dll
- 2004-08-14 02:37 . 2006-06-22 05:06 1435648 c:\windows\system32\dllcache\query.dll
+ 2007-02-28 09:10 . 2009-08-04 14:00 2180352 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2007-02-28 08:38 . 2009-08-04 13:13 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
- 2007-02-28 08:38 . 2009-02-06 16:49 2015744 c:\windows\system32\dllcache\ntkrpamp.exe
- 2007-02-28 08:38 . 2009-02-06 16:49 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2007-02-28 08:38 . 2009-08-04 13:13 2057728 c:\windows\system32\dllcache\ntkrnlpa.exe
- 2007-02-28 09:08 . 2009-02-06 17:22 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2007-02-28 09:08 . 2009-08-04 13:58 2136064 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2009-08-07 00:23 . 2009-08-07 00:23 1929952 c:\windows\SoftwareDistribution\SelfUpdate\Default\wuaueng.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 02:35 . 2007-04-14 02:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 06:35 . 2008-05-28 06:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 01:57 . 2007-04-14 01:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:48 . 2008-05-28 05:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 05:43 . 2008-05-28 05:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 01:50 . 2007-04-14 01:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2005-03-02 00:59 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2005-03-02 00:34 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2009-02-06 16:49 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2005-03-02 00:34 . 2009-02-06 16:49 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2005-03-02 00:34 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:57 . 2009-02-06 17:22 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2005-03-02 00:57 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-10-20 00:25 . 2009-10-20 00:25 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_c418dcf1\System.dll
+ 2009-10-20 00:24 . 2009-10-20 00:24 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_b1c170a1\System.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_a5dc81f1\System.Xml.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_856d0251\System.Xml.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_8ffb3977\System.Windows.Forms.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_3f8fd354\System.Windows.Forms.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_73331b1f\System.Drawing.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_fcbd7c43\System.Design.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_d20f5ea3\System.Design.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_ff09b702\mscorlib.dll
+ 2009-10-20 00:25 . 2009-10-20 00:25 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_f0119afc\mscorlib.dll
+ 2009-10-19 22:00 . 2009-10-19 22:00 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2008-10-21 18:28 . 2008-10-21 18:28 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2008-10-21 18:28 . 2008-10-21 18:28 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-19 22:00 . 2009-10-19 22:00 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-19 22:13 . 2009-10-02 16:01 25198016 c:\windows\system32\MRT.exe
+ 2009-08-11 02:08 . 2009-08-11 02:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-10 19:09 . 2009-08-10 19:09 17254912 c:\windows\Installer\69565.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-26 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2003-09-20 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2004-06-30 180224]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-06-29 122880]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2004-08-03 294912]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2004-07-30 331776]
"VMConsole.exe"="c:\program files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe" [2004-06-24 557056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-31 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Mouse Suite 98 Daemon"="ICO.EXE" - c:\windows\system32\ico.exe [2002-03-14 45056]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-04 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Audio Filter.lnk - c:\program files\Sony\SonicStage Mastering Studio\Audio Filter\SSMSFilter.exe [2004-12-16 2707456]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 111376]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 51984]
Remocon Driver.lnk - c:\program files\sony\usbsircs\usbsircs.exe [2004-8-18 229376]
Timer Recording Manager.lnk - c:\program files\Sony\Giga Pocket\ReserveModule.exe [2004-8-18 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=SSMSFltr.dll
"mixer1"=SSMSFltr.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\2.0\\Apps\\PhotoshopAlbum.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3791:UDP"= 3791:UDP:Windows Media Format SDK (iexplore.exe)
"3790:UDP"= 3790:UDP:Windows Media Format SDK (iexplore.exe)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [10/21/2008 1:03 PM 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [10/21/2008 1:03 PM 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [10/21/2008 1:03 PM 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20081031.001\IDSxpx86.sys [10/31/2008 12:43 PM 274808]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [10/21/2008 1:03 PM 115560]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [8/16/2004 10:41 PM 118877]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [8/13/2004 9:38 PM 71961]
S2 gupdate1c9ddab1317fa50;Google Update Service (gupdate1c9ddab1317fa50);c:\program files\Google\Update\GoogleUpdate.exe [5/25/2009 9:38 PM 133104]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [8/14/2004 11:35 AM 17251]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBlf.SYS [8/14/2004 11:35 AM 7520]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-26 02:36]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 02:38]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-26 02:38]

2009-10-21 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-08-14 23:26]

2009-10-21 c:\windows\Tasks\User_Feed_Synchronization-{B5D52FBE-8FF2-4F0B-BE11-78DB0A963225}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\SSMSFltr.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1076)
c:\windows\system32\SSMSFltr.dll
.
Completion time: 2009-10-21 14:54
ComboFix-quarantined-files.txt 2009-10-21 19:54
ComboFix2.txt 2009-10-19 22:00

Pre-Run: 36,035,502,080 bytes free
Post-Run: 36,006,326,272 bytes free

- - End Of File - - F2AB464F319FA3B43A8BB9009D55B68F
Upload was successful

#9 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 22 October 2009 - 06:00 PM

1) P2P Warning
P2P - I see you have P2P software (FrostWire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

2) Update Java
Your version of Java is outdated.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

3) Update Adobe
Your current version of Adobe Reader is out of date, and may contain security issues. Please uninstall the version you have now from Add/Remove programs, and then download and install the latest Adobe Reader.

4) Enable Windows Firewall
Please go to Start, Control Panel, Windows Firewall - and ensure that this is turned on.

5) MBAM
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
6) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
7) What You Will Need To Post:
  • MBAM log
  • ESET log
  • Status of your antivirus product - it states the definitions are outdated; do you have a current subscription?

Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#10 effingpcs

effingpcs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 23 October 2009 - 07:43 PM

Hello- thank you for all of your help. I know that your policy is that if no reply is given within 3 days the thread will be dropped. I just wanted you to know that I have been called out of town so I will be away from this computer until Monday 10/26. I have already done some of the steps but I won't have them all completed until Monday. Please don't delete this thread. You guys have been a huge help to me and I will post the requested logs as soon as I get back. I really appreciate all that you have done!!!

#11 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 23 October 2009 - 08:27 PM

That's fine, thanks for letting us know. :(
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#12 Raktor

Raktor

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 28 October 2009 - 05:28 PM

Just checking how you're going with this... are you still with us?
Posted Image
Graduate from the WTT Malware Classroom
If you feel I have helped you, please consider a donation. Posted Image
Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#13 Carolyn

Carolyn

    Bleepin' kitten


  • Members
  • 2,131 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 05 November 2009 - 01:01 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users