Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus - Loss of Administrative Control


  • Please log in to reply
No replies to this topic

#1 svenzeswede

svenzeswede

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 11 December 2009 - 10:35 PM

Hi,

Clearly, I am new here. I would first like to say thank you to the many contributors to this forum as they have been full of useful advice and help in the past. I find myself at a crossroads with my laptop. I was infected with a variety of adware, spyware, trojan, and rootkit problems about two months ago. I used Spyware Doctor initially to rid myself of Security Tool. While that was effective, I've been infected with something new and more insidious. Some symptoms of the problem include but are not limited to: I can't change the background from that annoying blue color, I don't have administrative control over many areas of my computer, everything runs extremely slow.
I considered wiping the system but I can't transfer my documents, music, and movies because I am told that I don't have proper permissions and to contact my service administrator. I used superantispyware briefly and it seemed to be extremely effective but it requires a restart to eliminate threats and every time I restart and try to open it again I get the following message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I've tried renaming it multiple times but still seem to be sunk.
I've heard much of different utilities like Hijackthis which I presume are used for diagnostics. If i need to use this please let me know.

As I am extremely novice, I appreciate any help and any patience with me.


ADDITION: Tried to run Hijackthis and after beginning to work it shut down with no warning or explanation. When I tried to open it again I once again recieved the message "cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

ADDITION #2: Alright, so I apparently wasn't yet prepared to post. I downloaded and ran dds by subs. The log file is below.

One other piece of information, I can't keep the date and time correct. It gets frozen and then won't update itself when I connect to the internet. I'm nor sure how big of a problem this is but thought it suspicious. Cheers.
Thanks.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 2:25:51.65 on Fri 12/11/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.406 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\FlashGet Network\FlashGet 3\Flashget3.exe
C:\Documents and Settings\Owner\Desktop\internet explorer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.opera.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: H - No File
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\documents and settings\owner\application data\flashgetbho\FlashGetBHO3.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [galeriyog] Rundll32.exe "c:\windows\system32\hisakite.dll",a
mRun: [Vcuritigok] rundll32.exe "c:\windows\iyabuteb.dll",Startup
mRun: [combofix] "c:\combo\cf22994.cfxxe" /c "c:\combo\C.bat"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\scandisk.lnk - c:\windows\system32\rundll32.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download All By FlashGet3 - c:\documents and settings\owner\application data\flashgetbho\GetAllUrl.htm
IE: Download By FlashGet3 - c:\documents and settings\owner\application data\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260223534593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: !SASWinLogon - c:\program files\jimmyjohn\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: cru629.dat acaptuser32.dll dodohovo.dll c:\windows\system32\hisakite.dll
SSODL: gezekiyay - {da2e38a8-0d91-4594-b0a3-bf159ab53bcf} - c:\windows\system32\hisakite.dll
STS: mujuzedij: {da2e38a8-0d91-4594-b0a3-bf159ab53bcf} - c:\windows\system32\hisakite.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\jimmyjohn\SASSEH.DLL
LSA: Notification Packages = scecli swphcon.dll beperuka.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-10-11 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-12-7 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-12-7 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-10-11 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\jimmyjohn\sasdifsv.sys [2009-11-23 9968]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-7 112592]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-10-11 359624]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-10-11 1141712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-1 24652]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-10-11 70408]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-12-7 33552]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-15 226304]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 SASENUM;SASENUM;c:\program files\jimmyjohn\SASENUM.SYS [2009-11-23 7408]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-15 29184]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-12-09 08:36:43 25 ----a-w- c:\windows\libem.INI
2009-12-09 08:36:13 0 d-----w- c:\docume~1\owner\applic~1\BITS
2009-12-09 08:36:02 0 d-----w- c:\docume~1\owner\applic~1\FlashGetBHO
2009-12-09 08:36:00 0 d-----w- c:\program files\FlashGet Network
2009-12-09 08:28:57 305 ----a-w- c:\windows\system32\secushr.dat
2009-12-09 08:28:34 26624 ----a-w- c:\windows\system32\tdlcmd.dll
2009-12-09 08:17:21 0 d-----w- c:\program files\JAckkkkkkkk
2009-12-09 07:57:30 248 ----a-w- c:\windows\system32\secustat.dat
2009-12-07 22:37:48 883 ----a-w- c:\windows\RegSDImport.xml
2009-12-07 22:37:48 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-07 22:37:47 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-07 22:37:47 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-07 22:37:47 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-07 22:37:47 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-07 22:37:47 131 ----a-w- c:\windows\IDB.zip
2009-12-07 22:37:47 1152444 ----a-w- c:\windows\UDB.zip
2009-12-07 22:29:26 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-07 22:29:22 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-07 22:29:15 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-07 22:20:43 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2009-12-07 22:20:43 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2009-12-07 22:20:43 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2009-12-03 22:04:48 0 d-----w- c:\program files\jimmyjohn
2009-12-03 22:04:16 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-12-03 22:01:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:01:30 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-03 22:01:29 0 d-----w- c:\program files\jackjack
2009-12-02 22:04:42 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-02 22:04:30 0 d-----w- c:\program files\SUPERAntiSpyware
2009-12-02 22:04:30 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-12-02 21:41:39 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2009-12-02 21:36:17 0 d--h--w- c:\windows\PIF
2009-11-18 07:09:06 0 d-----w- C:\f28dc80a5bb20e85696145
2009-11-18 06:49:45 467 ----a-w- c:\windows\osadoxiyetuk.dll

==================== Find3M ====================

2009-11-09 17:20:12 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-30 17:11:00 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-18 05:47:49 16265 ----a-w- c:\windows\system32\ekaho.dll
2009-09-18 05:47:49 15693 ----a-w- c:\windows\gaxisa.vbs
2009-09-18 05:47:49 15672 ----a-w- c:\docume~1\alluse~1\applic~1\qobipoduzo.com
2009-09-18 05:47:49 12692 ----a-w- c:\windows\unequweto.scr
2009-09-18 05:47:49 12441 ----a-w- c:\windows\system32\pyvyhatev.dll
2009-09-18 05:47:48 15945 ----a-w- c:\docume~1\alluse~1\applic~1\ysawuhem.dll
2009-09-18 05:47:48 15599 ----a-w- c:\windows\system32\lihox.dat
2009-09-18 05:47:48 14269 ----a-w- c:\docume~1\owner\applic~1\ekyqe.reg
2009-09-18 05:47:48 13945 ----a-w- c:\docume~1\owner\applic~1\vemof.dll
2009-09-18 05:47:48 11002 ----a-w- c:\program files\common files\idyfunu.com
2005-01-08 00:37:29 19749 ----a-w- c:\program files\common files\momibuvy._dl
2009-07-19 19:44:54 1011464 --sha-w- c:\windows\system32\yevazani.exe
2009-07-18 19:45:45 1011464 --sha-w- c:\windows\system32\zupejaku.exe

============= FINISH: 2:32:30.51 ===============

Edited by svenzeswede, 11 December 2009 - 11:34 PM.
Moving from XP to AII. ~ OB


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users