Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect malware issues


  • This topic is locked This topic is locked
32 replies to this topic

#1 alchemy10

alchemy10

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 13 November 2009 - 09:46 PM

This seems to be a real nasty problem for a lot of people right now. I've pretty much tried everything that I can think of. I ran HijackThis.

When I do it says that "for some reason your system denied write access to the host file" and then it tells me that I need to edit the file myself using Run.

I really don't know how to do that, but it does seem to produce a log file - I wonder if anything got left out as a result of the problem? I wonder if the malware itself is causing this?

Just so that we are on the same page - this is the same virus that does redirects, and now its opening a million tabs in my firefox windows. Computer is slow, and sometimes my browser just "crashes".

Here's the log file. Thanks guys for any help.

********************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:53 PM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdoclc.dll/dnserror.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [commentsniper] "C:\Program Files\Comment Sniper\CommentSniper.exe" startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [QuickPhrase] "C:\Program Files\TypingMaster\quickphrase\quickphrase.exe"
O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/rew/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 13291 bytes

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:18 PM

Posted 21 November 2009 - 08:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 November 2009 - 09:49 PM

Hi, I've downloaded everything, uninstalled, reinstalled, rebooted, researched and pulled my hair out. I really need help as its interfering with work now. Can anyone help?

Basic symptoms are redirects of searches, windows popping up, and now whenever I log into yahoo mail I get blasted like clockwork by b.s. yahoo surveys popping up that just want me to buy products after a few questions.

Any help would be great.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:18 PM

Posted 25 November 2009 - 10:42 PM

Hello alchemy10,

Now that I've verified that your two topics concern the same issue and computer, I have merged them to avoid confusion. Please post back with updated logs as requested in post 2 of this topic.

Because the e-mail notification system is unreliable, please be sure to check your topic at least once a day now that you've gotten a response. Also, please be sure to use the add-reply button to post your responses to this topic.

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 25 November 2009 - 10:56 PM

Thanks so much - you guys rock!! I've done as instructed so here is the log that I was able to produce. I attached the "Attach.zip" file and hopefully I did it right so that you guys can use it. You should take donations for your hard work - do you? :(

Anyways - bless you all

LOG FILE BELOW
*********************************************************************************88


DDS (Ver_09-11-24.02) - NTFSx86
Run by rew at 22:42:35.93 on Wed 11/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.418 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Documents and Settings\rew\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = res://c:\windows\system32\shdoclc.dll/dnserror.htm
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [QuickPhrase] "c:\program files\typingmaster\quickphrase\quickphrase.exe"
uRun: [IECheck] c:\windows\IECheck.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_07\bin\jusched.exe
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [<NO NAME>]
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [commentsniper] "c:\program files\comment sniper\CommentSniper.exe" startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\rew\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\www
Trusted Zone: mozilla.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rew\applic~1\mozilla\firefox\profiles\s4i8k1bz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\rew\application data\mozilla\firefox\profiles\s4i8k1bz.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-4 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-5 112592]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-1-20 109616]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-8-28 226304]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-1-21 17149]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-4 358600]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\wpn111.sys --> c:\windows\system32\drivers\WPN111.sys [?]

=============== Created Last 30 ================

2009-11-26 02:31:24 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-26 02:31:08 0 d-----w- c:\program files\SUPERAntiSpyware
2009-11-26 02:31:07 0 d-----w- c:\docume~1\rew\applic~1\SUPERAntiSpyware.com
2009-11-26 01:49:05 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-14 06:22:50 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-14 06:22:50 1409 ----a-w- c:\windows\QTFont.for
2009-11-13 20:56:17 0 d-sha-r- C:\autorun.inf
2009-11-13 03:23:27 0 d-s---w- C:\Combo-Fix
2009-11-13 03:21:03 0 d-----w- C:\32788R22FWJFW.0.tmp
2009-11-05 22:14:35 882 ----a-w- c:\windows\RegSDImport.xml
2009-11-05 22:14:35 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-05 22:14:35 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-05 22:14:35 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-05 22:14:35 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-05 22:14:35 131 ----a-w- c:\windows\IDB.zip
2009-11-05 22:14:35 1152470 ----a-w- c:\windows\UDB.zip
2009-11-05 22:14:34 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-05 22:12:32 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-05 22:12:20 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-05 22:12:02 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-05 03:36:32 0 d-----w- C:\_OTM
2009-11-05 02:56:40 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-05 02:56:29 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-05 02:56:29 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-05 02:56:29 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-05 02:56:21 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-05 02:56:21 0 d-----w- c:\program files\common files\PC Tools
2009-11-05 02:56:13 0 d-----w- c:\program files\Spyware Doctor
2009-11-05 02:56:13 0 d-----w- c:\docume~1\rew\applic~1\PC Tools
2009-11-05 02:56:13 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2009-11-26 02:08:59 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-26 02:08:59 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-26 02:08:59 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-26 02:08:59 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-08 23:57:49 70984 -c--a-w- c:\documents and settings\rew\g2mdlhlpx.exe

============= FINISH: 22:44:26.42 ===============

Attached Files



#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:18 PM

Posted 26 November 2009 - 08:54 AM

Hello alchemy10 and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :(

In the meantime:

1. Please TRACK this Topic

  • At the top-right of this thread, click on the Posted Image button.
  • In the list that drops down, click on Posted Image
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on Posted Image
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :(
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. :)

Doc.

#7 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 26 November 2009 - 11:44 AM

Sounds good - take your time and happy holidays to you!

Edited by Orange Blossom, 13 December 2009 - 07:09 PM.
Remove unnecessary quote. ~ OB


#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:18 PM

Posted 27 November 2009 - 01:39 PM

Hello alchemy10,

1. Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

2. Please Download ComboFix
Here is a Tutorial on using ComboFix: A guide and tutorial on using ComboFix
  • Save it to your Desktop
  • Do NOT run ComboFix yet
  • Here is an alternative link to download ComboFix, if the above one is not working for you:Link 1
3. Disable Your AntiVirus and AntiSpyware Programs
  • You should be able to Right-Click on the program's icon in the System Tray and get an option to shut-down/disable each program.
  • These programs may interfere with our fix. We will re-enable them when we are done.
4. Double click on ComboFix.exe that you just saved to your Desktop
  • Follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. The Recovery Console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • It is strongly recommended to have the Recovery Console installed on your machine before doing any malware removal.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Posted Image

NOTE: If the Microsoft Windows Recovery Console is already installed, you will not receive a prompt from ComboFix regarding the Recovery Console.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
5. Re-enable Your AntiVirus and AntiSpyware Programs That You Disabled in Step 2.


6. what I need in your next Reply:
  • Combofix.txt
  • gmer.log
Doc.

#9 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 28 November 2009 - 05:26 PM

I did all that and it took some time so I walked away for a bit. When I came back the computer had restarted, and now its frozen on the welcome screen. I can't get to the desktop - I've tried about 3 times now. - any ideas how to bypass the screen? I'm logging on from another computer - I hope I didn't screw up my computer. I disabled everything before running the scan. All firewalls, virus protection, and real time malware protection. Maybe something got through.

Edited by Orange Blossom, 13 December 2009 - 07:09 PM.
Remove unnecessary quote. ~ OB


#10 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:18 PM

Posted 29 November 2009 - 02:12 PM

Hi alchemy10,

Please do not use the Posted Image Button when replying to this topic. Instead, please use the Posted Image button. Thank You. :(

Let's try Restarting in to Safe Mode.
  • This can be done tapping the F8 key as soon as you start your computer
  • You will be brought to a menu where you can choose to boot into safe mode.
  • Make sure you choose the option without networking support.
  • Please see here for additional details.
If this works, then I need you to locate these logs and paste them in your next reply:
  • Combofix.txt
    • Please navigate to C:\ --> qoobox\
    • There should be a file in this folder named ComboFix.txt
    • Please Copy and Paste the contents of ComboFix.txt in your next Reply to this Topic.
  • gmer.Log
    • Please navigate to C:\ --> gmer\
    • There should be a file in this folder named gmer.log
    • Please Copy and Paste the contents of gmer.log in your next reply to this Topic.
If it doesn't work, please reply to this topic with the details.

Doc.

#11 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 29 November 2009 - 03:29 PM

Ok I will try doing that, but can I do the combofix scan in safe mode? the problem is that every time I run ComboFix it doesn't create a log file, and instead tries to restart my computer, but it has a hard time doing that.

#12 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 29 November 2009 - 03:49 PM

Ok, got it to work I think without safe mode. Here's what happened. I didn't find the ComboFix.txt in the Qooboox folder, but instead found it in the ComboFix folder. I don't think this is the right one because it just contains the serial numbers for my anti virus programs.

The gmer.log file is massive, and I'm not so sure if I should post it here and take up all this thread space, but its too big to attach - 1.6MB.
It almost looks like it repeated the same data - what should I do?

#13 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:18 PM

Posted 29 November 2009 - 07:13 PM

Hi alchemy10,

Before we continue I want to reemphasize a very Important Rule. Please do not Run any Programs that I have Not instructed you to run. If you are ever not sure if I have asked you to run a Program or not, please Stop and post a Reply to this topic asking for clarification.

OK, on to the Fix...

1. Run this Command from the Run Box
  • Click on Start, then Run.
  • Copy and Paste the bold text below in to the Run Box:
    • cmd /c dir /a /s C:\QooBox >log.txt&start log.txt
  • Then click on OK.
  • A Text File will open up, please Copy and Paste the contents in a Reply to this Topic.
2. Download RootRepeal.exe from one of these download locations and save it to your desktop:http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
http://ad13.geekstogo.com/RootRepeal.exe
http://rootrepeal.psikotick.com/RootRepeal.exe
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Click Ok.
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by DocSatan, 29 November 2009 - 08:33 PM.


#14 alchemy10

alchemy10
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 29 November 2009 - 09:22 PM

I haven't ran any other programs, so don't worry.

I did as instructed and here are the two logs for ComboFix and RootRepeal.


COMBOFIX LOG
******************************************

Volume in drive C has no label.
Volume Serial Number is 880F-AA47

Directory of C:\QooBox

11/29/2009 02:59 PM <DIR> .
11/29/2009 02:59 PM <DIR> ..
11/28/2009 07:03 PM <DIR> BackEnv
11/29/2009 03:00 PM <DIR> LastRun
11/29/2009 02:59 PM 2,698 LogA
11/28/2009 07:06 PM <DIR> Quarantine
11/27/2009 02:24 PM 237,600 str.sys.vir
11/29/2009 02:49 PM <DIR> Test
11/12/2009 10:23 PM <DIR> TestC
2 File(s) 240,298 bytes

Directory of C:\QooBox\BackEnv

11/28/2009 07:03 PM <DIR> .
11/28/2009 07:03 PM <DIR> ..
11/28/2009 07:02 PM 286 appdata.folder.dat
11/28/2009 07:02 PM 404 cache.folder.dat
11/28/2009 07:02 PM 246 Cookies.folder.dat
11/28/2009 07:02 PM 139 desktop.folder.dat
11/28/2009 07:02 PM 145 favorites.folder.dat
11/28/2009 07:02 PM 290 localappdata.folder.dat
11/28/2009 07:02 PM 281 localsettings.folder.dat
11/28/2009 07:02 PM 187 mypictures.folder.dat
11/28/2009 07:02 PM 151 personal.folder.dat
11/28/2009 07:02 PM 304 Profiles.Folder.dat
11/28/2009 07:02 PM 468 Profiles.Folder.folder.dat
11/28/2009 07:02 PM 175 programs.folder.dat
11/28/2009 07:02 PM 5,860 SetPath.bat
11/28/2009 07:02 PM 148 startmenu.folder.dat
11/28/2009 07:02 PM 199 startup.folder.dat
11/28/2009 07:02 PM 2,359 SysPath.dat
11/28/2009 07:02 PM 145 templates.folder.dat
17 File(s) 11,787 bytes

Directory of C:\QooBox\LastRun

11/29/2009 03:00 PM <DIR> .
11/29/2009 03:00 PM <DIR> ..
11/29/2009 02:55 PM 0 CregC.old
11/29/2009 03:00 PM 39 drev_.dat
11/28/2009 07:44 PM 10 erunt.dat
11/29/2009 02:50 PM 0 RenVDel.dat
11/28/2009 07:47 PM 117 SvcTarget.dat
11/29/2009 02:55 PM 10,349 zhsvc.old
6 File(s) 10,515 bytes

Directory of C:\QooBox\Quarantine

11/28/2009 07:06 PM <DIR> .
11/28/2009 07:06 PM <DIR> ..
11/28/2009 07:58 PM <DIR> C
11/29/2009 02:54 PM 605 catchme.log
11/28/2009 07:55 PM <DIR> Registry_backups
1 File(s) 605 bytes

Directory of C:\QooBox\Quarantine\C

11/28/2009 07:58 PM <DIR> .
11/28/2009 07:58 PM <DIR> ..
05/17/2008 02:39 PM 5,432 log.txt.vir
11/28/2009 07:58 PM <DIR> WINDOWS
1 File(s) 5,432 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS

11/28/2009 07:58 PM <DIR> .
11/28/2009 07:58 PM <DIR> ..
01/19/2008 03:19 PM 4 a3kebook.ini.vir
01/19/2008 03:19 PM 20 akebook.ini.vir
03/07/2009 05:06 PM 415 ANS2000.INI.vir
10/28/2009 08:48 PM 10 run.log.vir
07/24/2003 02:51 PM 111,552 setup.exe.vir
11/28/2009 07:58 PM <DIR> system32
5 File(s) 112,001 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32

11/28/2009 07:58 PM <DIR> .
11/28/2009 07:58 PM <DIR> ..
11/29/2009 02:59 PM <DIR> drivers
10/29/2003 09:43 AM 253,952 SkinBoxer43.dll.vir
1 File(s) 253,952 bytes

Directory of C:\QooBox\Quarantine\C\WINDOWS\system32\drivers

11/29/2009 02:59 PM <DIR> .
11/29/2009 02:59 PM <DIR> ..
04/13/2008 01:40 PM 96,512 atapi.sys.vir
11/29/2009 02:32 PM 0 str.sys.vir
11/29/2009 02:54 PM 237,333 _str_.sys.zip
3 File(s) 333,845 bytes

Directory of C:\QooBox\Quarantine\Registry_backups

11/28/2009 07:55 PM <DIR> .
11/28/2009 07:55 PM <DIR> ..
11/29/2009 02:50 PM 9,002 tcpip.reg
1 File(s) 9,002 bytes

Directory of C:\QooBox\Test

11/29/2009 02:49 PM <DIR> .
11/29/2009 02:49 PM <DIR> ..
0 File(s) 0 bytes

Directory of C:\QooBox\TestC

11/12/2009 10:23 PM <DIR> .
11/12/2009 10:23 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
37 File(s) 977,437 bytes
32 Dir(s) 64,735,694,848 bytes free



*************************************************
ROOT REPEAL LOG
*************************************************

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/29 20:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000BF3
Image Path: 00000BF3
Address: 0xA9B9F000 Size: 71424 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA48B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AFC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA8D89000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\auzpjb.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\all users\application data\spybot - search & destroy\proccache.sbc
Status: Size mismatch (API: 167266, Raw: 167232)

SSDT
-------------------
ServiceTable Hooked [0x85e92bd0]!

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf77d0b30

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x867d9820

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf789236a

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf73c2e22

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73a3cdc

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf73a3ece

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf77d06f0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf73c3610

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73c38c4

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf77d0470

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7892cd8

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf73c1b14

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf77d0c50

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7892842

#: 154 Function Name: NtQueryInformationProcess
Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf788f1e0

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf73c3d30

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\windrvNT.sys" at address 0xf7893142

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73c30e2

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf77d0990

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xaa68d0b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf77d0d60

Hidden Services
-------------------
Service Name: gfvwsb
Image Path: C:\WINDOWS\system32\drivers\auzpjb.sys

==EOF==

#15 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:08:18 PM

Posted 30 November 2009 - 07:02 PM

Hello alchemy10,

Good Job getting those Logs. :(

Please follow the instructions below in the order that they are given:

1. Please Uninstall one of your 2 Firewalls
  • You should only have 1 Firewall installed on a computer.
  • I assume that you have Paid for the Norton Internet Security, so Sygate Personal Firewall should be the one to uninstall.
2. Perform a Scan with MalwareByte's AntiMalware (MBAM)
  • Double-Click on the MBAM Icon
  • Click on the tab Update
  • Then click on Check For Updates button
  • When MBAM has finished updating, click OK on the window that pops-up.
    • If MBAM has to close to complete the update, then allow it.
  • Now Click on the Scanner tab
  • Put a tick-mark next to Perform Quick Scan
  • Now click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3. Run this CFScirpt
Warning: This CFScript has been tailored to alchemy10 's particular system and should not be run on any other system.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:

    DDS::
    uStart Page = res://c:\windows\system32\shdoclc.dll/dnserror.htm
    BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    mRun: [<NO NAME>]
    Trusted Zone: microsoft.com\www
    Trusted Zone: mozilla.com
    Hosts: 127.0.0.1 www.spywareinfo.com

    Folder::
    C:\32788R22FWJFW.0.tmp

    File::
    C:\WINDOWS\system32\drivers\auzpjb.sys

    Driver::
    gfvwsb

  • Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
4. What I need in your next Reply:
  • ComboFix.txt
  • MBAM Results
  • Any problems?
Doc.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users