Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptic.CM Trojan being reported by AVG, Browser re-directs & crashes


  • This topic is locked This topic is locked
30 replies to this topic

#1 OrFloB

OrFloB

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 23 April 2010 - 06:35 PM

Hello there, over the last few days my systemís antivirus software (AVG9) has been reporting countless cases of the Cryptic.CM Trojan. Those that could be healed, have been and some give the file inaccessible error when I attempt this.
Along with this Iíve also experienced countless browser re-directs to spam sites (mostly from Google searches, but it is not unknown to redirect me from other sites) as well as complete browser crashes (though this mostly occurs when using IE. So who knows!). I also get a strange Javascript exception error when running Firefox (this seems to only occur the first time I run). If required I could paste the error here. but for now, this is not a big problem to me.

Iíve tried scans with Malwarebytes, Spybot S&D and AVG9 (all with latest updates) both in and out of safe mode, and healed everything that was found with each program. While this seemed to cut down the frequency of the re-directs, they are still occurring. System restore is not an option for me as it fails to complete on every restore point (10+) that I have tried.

So it is with all these problems that I turn to those wiser than me, in hope to remove the Malware present in my system.

Regards,
Ryan.

-------------------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86
Run by Kevin at 22:55:38.26 on 23/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.404 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
svchost.exe "C:\WINDOWS\system32\ahuit.exe"
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Apoint\Apoint .exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel .exe
C:\Program Files\Sony\VAIO Power Management\SPMgr .exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher .exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
C:\Program Files\Sony\ISB Utility\ISBMgr .exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice .exe
C:\Program Files\Java\jre6\bin\jusched .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat .exe
C:\PROGRA~1\AVG\AVG9\avgtray .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [PDService.exe] c:\program files\utimaco\safeguard privatedisk\pdservice.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [wa6pcw] "c:\program files\common files\winantivirus pro 2006\wa6pcw.exe" -c
mRun: [SystemDoctor] c:\program files\systemdoctor\main.exe
mRun: [USS] "c:\program files\uss\USS.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files\common files\intuit\intu-res.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin\applic~1\mozilla\firefox\profiles\lb6l3dxa.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-23 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-23 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-23 242896]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-7-6 45627]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-23 308064]
R2 k;k;c:\windows\system32\o.sys [2010-4-23 4736]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-8-4 71961]
S2 AppMgmtCryptSvc;Application Management AppMgmtCryptSvc;c:\windows\system32\ahuit.exe srv --> c:\windows\system32\ahuit.exe srv [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-1-10 13352]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2007-11-3 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-11-3 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-11-3 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-11-3 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2007-11-3 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2007-11-3 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-11-3 90800]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2010-04-28 00:47:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-28 00:39:13 0 d-----w- C:\spoolerlogs
2010-04-28 00:38:43 0 d-----w- c:\docume~1\kevin\applic~1\F12EEEBBF68C5FDE416B4F13BC1D93E6
2010-04-23 21:53:35 0 ----a-w- c:\documents and settings\kevin\defogger_reenable
2010-04-23 16:54:57 32 --s-a-w- c:\windows\system32\3480617806.dat
2010-04-23 09:29:28 112 ----a-w- c:\docume~1\alluse~1\applic~1\s3q8r1238.dat
2010-04-23 09:29:27 4736 ----a-w- c:\windows\system32\o.sys
2010-04-23 09:09:38 0 d-----w- c:\docume~1\kevin\applic~1\Malwarebytes
2010-04-23 09:09:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 09:09:27 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 09:09:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 09:09:27 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-23 09:02:29 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-23 09:02:26 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 09:02:20 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 09:02:05 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-23 08:58:43 0 d-----w- c:\program files\AVG
2010-04-23 08:45:56 0 ----a-w- c:\windows\system32\commonpriv.log.lock
2010-04-23 01:31:31 0 d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-23 01:31:30 0 d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-04-23 01:31:29 0 d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-04-23 01:31:29 0 d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-23 01:28:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-23 01:01:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 23:55:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2010-04-16 22:47:19 0 d--h--w- C:\$AVG
2010-04-16 21:32:01 61984 ----a-w- c:\windows\system32\drivers\xusb21.sys
2010-04-16 21:32:01 1421216 ----a-w- c:\windows\system32\WdfCoInstaller01001.dll
2010-04-16 21:31:57 0 d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-16 21:31:50 68888 ----a-w- c:\windows\system32\xinput1_3.dll

==================== Find3M ====================

2010-04-23 10:02:38 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-04-23 09:28:58 34308 ----a-w- c:\windows\system32\ICO.EXE
2009-08-31 07:49:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009083120090901\index.dat

============= FINISH: 22:57:07.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 23 April 2010 - 07:47 PM

Hello OrFloB,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. Click and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press
  5. Click on
  6. Click on
  7. Uncheck this checkbox:
  8. Close/Exit Spybot Search and Destroy

2.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 24 April 2010 - 08:33 AM

Hi fireman4it,

Thanks for the speedy reply. Really wasn't expecting it to be as fast as it was, so it's appreciated!

I've followed everything you suggested to a tea and I have to say things are running a lot less sluggishly. It may be too early to say yet but I think the re-directs have been sorted out aswell (at least in the last hour of browsing I haven't had any - however I haven't used Google search all too much)

As you requested, here is the Combofix log!

P.S I've noticed that the AVG Icon seems to be missing from the System Tray? It does however seem to be running (process list + Security center state so) Is this intended, or an Adverse effect of running Combofix?

-

ComboFix 10-04-21.01 - Kevin 24/04/2010 13:20:28.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.560 [GMT 1:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin\Application Data\F12EEEBBF68C5FDE416B4F13BC1D93E6
c:\documents and settings\Kevin\Application Data\F12EEEBBF68C5FDE416B4F13BC1D93E6\enemies-names.txt
c:\documents and settings\Kevin\Application Data\F12EEEBBF68C5FDE416B4F13BC1D93E6\lsrslt.ini
c:\documents and settings\Kevin\err.log
c:\documents and settings\Kevin\ResErrors.log
c:\program files\Common Files\companion wizard
c:\program files\Common Files\companion wizard\log.txt
c:\program files\USS
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\AppBase\pfilelst.xda
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\AppBase\wordslst.xda
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\bnlink.dat
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\DCPlugin.dll
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\DCPlugin.xml
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\ScanReport.dat
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\unins000.dat
c:\program files\USS\{20CF7FD9-6C26-450b-BC5B-B4AD67438A26}\unins000.exe
c:\program files\USS\Schedule.dat
c:\program files\USS\unins000.dat
c:\program files\USS\unins000.exe
c:\recycler\S-1-5-21-3035643098-62855431-714670690-1003
c:\recycler\S-1-5-21-343818398-2000478354-725345543-1003
C:\WA6P
c:\wa6p\Quar\Index.dat
c:\windows\system32\3480617806.dat
c:\windows\system32\ahuit.exe
c:\windows\system32\ICO .exe
c:\windows\system32\stera.log
c:\windows\system32\Temp
c:\windows\winhelp.ini

Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_APPMGMTCRYPTSVC
-------\Legacy_FOPN
-------\Legacy_FWSVC
-------\Legacy_VSPF
-------\Legacy_VSPF_HK
-------\Service_AppMgmtCryptSvc


((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-28 00:47 . 2010-04-28 00:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-28 00:39 . 2010-04-28 00:39 -------- d-----w- C:\spoolerlogs
2010-04-24 00:46 . 2010-04-24 12:05 65546 ----a-w- c:\documents and settings\All Users\Application Data\jL08M5nO.exe
2010-04-23 09:29 . 2010-04-23 09:29 4736 ----a-w- c:\windows\system32\o.sys
2010-04-23 09:09 . 2010-04-23 09:09 -------- d-----w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2010-04-23 09:09 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 09:09 . 2010-04-23 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 09:09 . 2010-04-23 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-23 09:09 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 09:02 . 2010-04-23 09:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-23 09:02 . 2010-04-23 09:02 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 09:02 . 2010-04-23 09:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 09:02 . 2010-04-23 09:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-23 09:02 . 2010-04-24 12:06 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-23 08:58 . 2010-04-23 08:58 -------- d-----w- c:\program files\AVG
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-23 01:28 . 2010-04-23 01:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-23 01:01 . 2010-04-23 01:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-23 01:01 . 2010-04-23 01:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 23:58 . 2010-04-16 23:58 8854 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-04-16 23:58 . 2010-04-16 23:58 40960 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-04-16 23:58 . 2010-04-16 23:58 40960 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-04-16 22:47 . 2010-04-16 22:47 -------- d-----w- C:\$AVG
2010-04-16 21:32 . 2007-02-26 17:15 61984 ----a-w- c:\windows\system32\drivers\xusb21.sys
2010-04-16 21:32 . 2007-02-26 17:15 1421216 ----a-w- c:\windows\system32\WdfCoInstaller01001.dll
2010-04-16 21:31 . 2010-04-23 09:28 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-16 21:31 . 2006-09-28 15:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2010-04-16 21:28 . 2010-04-16 21:28 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 12:34 . 2009-07-26 20:10 -------- d-----w- c:\program files\QuickTime
2010-04-24 12:34 . 2005-08-05 12:43 34316 ----a-w- c:\windows\system32\ICO.EXE
2010-04-24 12:05 . 2010-04-23 09:29 112 ----a-w- c:\documents and settings\All Users\Application Data\s3q8r1238.dat
2010-04-23 20:28 . 2009-12-22 00:58 -------- d-----w- c:\program files\SpeedFan
2010-04-23 17:39 . 2006-03-29 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 16:30 . 2006-03-29 16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 10:02 . 2004-08-03 23:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-04-23 09:28 . 2009-07-26 20:12 -------- d-----w- c:\program files\iTunes
2010-04-23 09:28 . 2010-04-24 12:34 34308 ----a-w- c:\windows\Fonts\o2E6nV.com
2010-04-23 09:28 . 2005-08-05 12:43 34308 ----a-w- c:\windows\system32\ICO .exe
2010-04-23 09:28 . 2005-08-04 18:08 -------- d-----w- c:\program files\Apoint
2010-04-23 08:58 . 2009-11-15 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-23 01:05 . 2009-06-30 14:48 -------- d-----w- c:\documents and settings\Kevin\Application Data\uTorrent
2010-04-19 22:03 . 2006-04-19 14:53 -------- d-----w- c:\documents and settings\Kevin\Application Data\Skype
2010-04-19 21:59 . 2009-11-23 20:15 -------- d-----w- c:\documents and settings\Kevin\Application Data\skypePM
2010-04-16 23:55 . 2010-04-16 23:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2010-03-30 04:41 . 2005-08-05 09:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 00:16 . 2010-01-31 01:35 -------- d-----w- c:\documents and settings\Kevin\Application Data\DivX
2010-03-25 02:33 . 2009-11-29 01:29 -------- d-----w- c:\documents and settings\Kevin\Application Data\vlc
2010-03-14 17:51 . 2009-08-06 18:35 80184 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
CODE
<pre>
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Apoint\Apoint .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Logitech\Video\ISStart .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Logitech\Video\ManifestEngine .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft Xbox 360 Accessories\XboxStat .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Sony\ISB Utility\ISBMgr .exe
c:\program files\Sony\VAIO Power Management\SPMgr .exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt .exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher .exe
c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice .exe
c:\windows\ATK0100\Hcontrol .exe
c:\windows\system32\ICO .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2010-04-23 34312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2010-04-23 34308]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2010-04-23 34308]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2010-04-23 34308]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2010-04-23 34308]
"Mouse Suite 98 Daemon"="ICO.EXE" [N/A]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2010-04-23 34308]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2010-04-23 34308]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2010-04-23 34308]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2010-04-23 34308]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2010-04-23 34308]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-04-23 34308]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-23 34308]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-04-23 34308]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-23 34308]
"VAIO Update 4"="c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe" [N/A]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2010-04-23 34308]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2010-04-23 34308]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2010-04-23 34308]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-12-5 778240]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-12-5 778240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-23 09:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6185:TCP"= 6185:TCP:Services
"6186:TCP"= 6186:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/04/2010 10:02 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/04/2010 10:02 242896]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 14:07 45627]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 04:47 98304]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/04/2010 10:00 308064]
R2 k;k;c:\windows\system32\o.sys [23/04/2010 10:29 4736]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 03:40 118784]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [04/08/2005 09:59 71961]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [10/01/2008 11:57 13352]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [03/11/2007 09:13 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [03/11/2007 09:13 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [03/11/2007 09:13 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [03/11/2007 09:14 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [03/11/2007 09:14 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [03/11/2007 09:14 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [03/11/2007 09:14 90800]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-04-23 c:\windows\Tasks\At1.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At10.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At100.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At101.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At102.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At103.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At104.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At105.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At106.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At107.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At108.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At109.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At11.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At110.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At111.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At112.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At113.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At114.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At115.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At116.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At117.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At118.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At119.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At12.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At120.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At13.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At14.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At15.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At16.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At17.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At18.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At19.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At2.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At20.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At21.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At22.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At23.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At24.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At25.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At26.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At27.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At28.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At29.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At3.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At30.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At31.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At32.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At33.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At34.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At35.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At36.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At37.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At38.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At39.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-23 c:\windows\Tasks\At4.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At40.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At41.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At42.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At43.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At44.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At45.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At46.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At47.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At48.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At49.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-23 c:\windows\Tasks\At5.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At50.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At51.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At52.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At53.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At54.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At55.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At56.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At57.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At58.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At59.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-23 c:\windows\Tasks\At6.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At60.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At61.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At62.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At63.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At64.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At65.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At66.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At67.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At68.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At69.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-23 c:\windows\Tasks\At7.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At70.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At71.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At72.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 12:05]

2010-04-24 c:\windows\Tasks\At73.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At74.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At75.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At76.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At77.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At78.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At79.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At8.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At80.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At81.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At82.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At83.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At84.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At85.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At86.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At87.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At88.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At89.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-23 c:\windows\Tasks\At9.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At90.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At91.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At92.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At93.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At94.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At95.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At96.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At97.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At98.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]

2010-04-24 c:\windows\Tasks\At99.job
- c:\windows\Fonts\o2E6nV.com [2010-04-24 09:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lb6l3dxa.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-CompanionWizard - c:\program files\Common Files\Companion Wizard\compwiz.exe
AddRemove-SDR_is1 - c:\program files\SystemDoctor\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-24 13:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\ICO .exe 34308 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(9872)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Apoint\Apoint .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice .exe
c:\program files\Sony\ISB Utility\ISBMgr .exe
c:\program files\Microsoft Xbox 360 Accessories\XboxStat .exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
c:\program files\Sony\VAIO Power Management\SPMgr .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Apoint\Apntex.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-24 13:38:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-24 12:38

Pre-Run: 9,450,496,000 bytes free
Post-Run: 10,665,041,920 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 431EE6684130E1B09D6B06963F3EB26F


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 24 April 2010 - 11:22 AM

Hello,

We have got the main infection, but however it has done some major damage. We will try and fix the damage it has done.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

AtJob::

File::
c:\windows\system32\o.sys
c:\documents and settings\All Users\Application Data\jL08M5nO.exe
c:\windows\Fonts\o2E6nV.com

Domains::

RenV::
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Apoint\Apoint .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Logitech\Video\ISStart .exe
c:\program files\Logitech\Video\LogiTray .exe
c:\program files\Logitech\Video\ManifestEngine .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Microsoft Xbox 360 Accessories\XboxStat .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Sony\ISB Utility\ISBMgr .exe
c:\program files\Sony\VAIO Power Management\SPMgr .exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt .exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher .exe
c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice .exe
c:\windows\ATK0100\Hcontrol .exe
c:\windows\system32\ICO .exe

Driver::
k


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 24 April 2010 - 06:31 PM

Perhaps too early to say how the system is performing. Only noticed little things like I mentioned the AVG tray icon and such. Re-directs are nonexistant.

Anyway. Here is the log, as requested.

-

ComboFix 10-04-21.01 - Kevin 25/04/2010 0:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.498 [GMT 1:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\Application Data\jL08M5nO.exe"
"c:\windows\Fonts\o2E6nV.com"
"c:\windows\system32\o.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\jL08M5nO.exe
c:\windows\Fonts\o2E6nV.com
c:\windows\system32\o.sys
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At111.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At114.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At120.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At76.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At80.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At84.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At88.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At92.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At95.job
c:\windows\Tasks\At96.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
c:\windows\Tasks\At99.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_K
-------\Service_k


((((((((((((((((((((((((( Files Created from 2010-03-24 to 2010-04-24 )))))))))))))))))))))))))))))))
.

2010-04-28 00:47 . 2010-04-28 00:47 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-28 00:39 . 2010-04-28 00:39 -------- d-----w- C:\spoolerlogs
2010-04-23 09:09 . 2010-04-23 09:09 -------- d-----w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2010-04-23 09:09 . 2010-03-29 23:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-23 09:09 . 2010-04-24 23:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-23 09:09 . 2010-04-23 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-23 09:09 . 2010-03-29 23:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 09:02 . 2010-04-23 09:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-23 09:02 . 2010-04-23 09:02 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-23 09:02 . 2010-04-23 09:02 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-23 09:02 . 2010-04-23 09:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-23 09:02 . 2010-04-24 12:06 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-23 08:58 . 2010-04-23 08:58 -------- d-----w- c:\program files\AVG
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-04-23 01:31 . 2010-04-23 01:31 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-23 01:28 . 2010-04-23 01:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-23 01:01 . 2010-04-23 01:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-23 01:01 . 2010-04-23 01:01 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 23:58 . 2010-04-16 23:58 8854 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe
2010-04-16 23:58 . 2010-04-16 23:58 40960 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe
2010-04-16 23:58 . 2010-04-16 23:58 40960 ----a-r- c:\documents and settings\Kevin\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe
2010-04-16 22:47 . 2010-04-16 22:47 -------- d-----w- C:\$AVG
2010-04-16 21:32 . 2007-02-26 17:15 61984 ----a-w- c:\windows\system32\drivers\xusb21.sys
2010-04-16 21:32 . 2007-02-26 17:15 1421216 ----a-w- c:\windows\system32\WdfCoInstaller01001.dll
2010-04-16 21:31 . 2010-04-24 23:12 -------- d-----w- c:\program files\Microsoft Xbox 360 Accessories
2010-04-16 21:31 . 2006-09-28 15:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2010-04-16 21:28 . 2010-04-16 21:28 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-24 23:25 . 2010-04-23 09:29 112 ----a-w- c:\documents and settings\All Users\Application Data\s3q8r1238.dat
2010-04-24 23:25 . 2010-04-24 23:25 65540 ----a-w- c:\documents and settings\All Users\Application Data\jL08M5nO.exe
2010-04-24 23:25 . 2010-04-24 23:25 65540 ----a-w- c:\documents and settings\All Users\Application Data\jL08M5nO.exe
2010-04-24 23:12 . 2009-07-26 20:10 -------- d-----w- c:\program files\QuickTime
2010-04-24 23:12 . 2009-07-26 20:12 -------- d-----w- c:\program files\iTunes
2010-04-24 23:12 . 2005-08-04 18:08 -------- d-----w- c:\program files\Apoint
2010-04-23 20:28 . 2009-12-22 00:58 -------- d-----w- c:\program files\SpeedFan
2010-04-23 17:39 . 2006-03-29 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-23 16:30 . 2006-03-29 16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-23 10:02 . 2004-08-03 23:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-04-23 09:28 . 2005-08-05 12:43 34308 ----a-w- c:\windows\system32\ICO.exe
2010-04-23 08:58 . 2009-11-15 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-23 01:05 . 2009-06-30 14:48 -------- d-----w- c:\documents and settings\Kevin\Application Data\uTorrent
2010-04-19 22:03 . 2006-04-19 14:53 -------- d-----w- c:\documents and settings\Kevin\Application Data\Skype
2010-04-19 21:59 . 2009-11-23 20:15 -------- d-----w- c:\documents and settings\Kevin\Application Data\skypePM
2010-04-16 23:55 . 2010-04-16 23:55 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2010-03-30 04:41 . 2005-08-05 09:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-29 00:16 . 2010-01-31 01:35 -------- d-----w- c:\documents and settings\Kevin\Application Data\DivX
2010-03-25 02:33 . 2009-11-29 01:29 -------- d-----w- c:\documents and settings\Kevin\Application Data\vlc
2010-03-14 17:51 . 2009-08-06 18:35 80184 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-08-16 16:42 . 2008-08-16 16:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-08-16 16:42 . 2008-08-16 16:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-08-16 16:42 . 2008-08-16 16:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2008-08-16 16:42 . 2008-08-16 16:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-08-16 16:43 . 2008-08-16 16:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-08-16 16:42 . 2008-08-16 16:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2008-08-16 16:42 . 2008-08-16 16:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 07:41 . 2008-05-21 07:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 07:41 . 2008-05-21 07:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 07:41 . 2008-05-21 07:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-06-05 12:58 . 2008-06-05 12:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-08-16 16:42 . 2008-08-16 16:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-02-14 53248]
"Mouse Suite 98 Daemon"="ICO.EXE" [2010-04-23 34308]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-01-20 167936]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-08 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"VAIO Update 4"="c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe" [2008-08-24 870240]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 734264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-12-5 778240]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2005-12-5 778240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-23 09:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"6185:TCP"= 6185:TCP:Services
"6186:TCP"= 6186:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/04/2010 10:02 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/04/2010 10:02 242896]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 14:07 45627]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [04/10/2004 04:47 98304]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [23/04/2010 10:00 308064]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [04/10/2004 03:40 118784]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [04/08/2005 09:59 71961]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [10/01/2008 11:57 13352]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [03/11/2007 09:13 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [03/11/2007 09:13 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [03/11/2007 09:13 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [03/11/2007 09:14 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [03/11/2007 09:14 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [03/11/2007 09:14 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [03/11/2007 09:14 90800]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-04-24 c:\windows\Tasks\At1.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At10.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At11.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At12.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At13.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At14.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At15.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At16.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At17.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At18.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At19.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At2.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At20.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At21.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At22.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At23.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At24.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At3.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At4.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At5.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At6.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At7.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At8.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]

2010-04-24 c:\windows\Tasks\At9.job
- c:\documents and settings\All Users\Application Data\jL08M5nO.exe [2010-04-24 23:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\lb6l3dxa.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-25 00:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-25 00:28:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-24 23:28
ComboFix2.txt 2010-04-24 12:38

Pre-Run: 10,983,886,848 bytes free
Post-Run: 10,942,693,376 bytes free

- - End Of File - - FB9E087404116087C024FEA057FC933B


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 24 April 2010 - 08:39 PM

Hello,

Lets do some more checking and cleaning up.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\documents and settings\All Users\Application Data\s3q8r1238.dat
c:\documents and settings\All Users\Application Data\jL08M5nO.exe
c:\documents and settings\All Users\Application Data\jL08M5nO.exe
c:\program files\QuickTime\qttask .exe

Folder::
c:\Program Files\uTorrent

Atjob::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52344:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6185:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6186:TCP"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

4.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

5.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java DB 10.4.2.1
Java™ 6 Update 16
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Development Kit 6 Update 16
Java™ SE Runtime Environment 6 Update 1


Additional instructions can be found here if needed.

Things to include in your next reply:
Combofix.txt
MBAM log.
Still running ok except avg icon?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 26 April 2010 - 01:18 PM

Things have really hit the fan now. I'm not sure what's happened but it seems i've gotten re-infected even worse than the first time.

I was browsing (nothing out of the ordinary; Facebook, Google, some Youtube) and suddenly 2 DOS command prompt-like windows appear, and vanish again. After this what happened is still unclear. I remember getting a Windows Security Center Popup informing me that my firewall had been turned off (presumably the Trojan again). After this IE opened, trying to point me to a site that was blocked as it "Could harm my computer" along with this, I kept getting Windows security messages telling me my computer had been infected with a trojan (I didnt grab the name, as by this point I was panicking as you can imagine) this continued for 2-3 minutes till I finally just shut down the computer. Hoping that a restart would at least prevent this endless amount of spam.

Now however, I can start up the PC, get to the login screen, where the Keyboard/Mouse will just cease up (when the mouse pointer first appears, I can move it as normal). I am unable to go further as I cannot type in my password or even click on my user account. This behaviour is also echoed in Safe Mode...

I still have the windows recovery console as a boot option. Perhaps this is the best course of action. Unfortunately all this hit before I could carry out the next steps mentioned in your previous report!

Any light you can shine on the situation would be appreciated!

Regards, and sorry for the mini-essay.
-Ryan

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 26 April 2010 - 06:05 PM

Hello,

WOW sorry to hear that happened and so fast. we can take a look but it will take some work on your part.


First

ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions
    Second

  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    o Change Drivers to Use All
    o Change Registr to All
    o Under the Custom Scan box paste this in



    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    userinit.exe
    explorer.exe
    /md5stop
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    %systemroot%\System32\config\*.sav

  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • If you don't have internet access copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

Edited by fireman4it, 26 April 2010 - 06:05 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 28 April 2010 - 06:26 PM

Here's the GMER log. Though i'm not sure if it's complete, the first one was much more extensive. I'm not sure what else I can do - the OTLP gave me an invalid variant type conversion when I tried to run it, and saves no log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-28 16:02:04
Windows 5.1.2600 Service Pack 3
Running: GMER.EXE; Driver: C:\DOCUME~1\Kevin\LOCALS~1\Temp\kfryiaoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.pak2 C:\WINDOWS\system32\drivers\lqcgu.sys entry point in ".pak2" section [0xF75C74E0]
? C:\WINDOWS\system32\drivers\lqcgu.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F7450E55 4 Bytes CALL 873D10A1

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 87379678

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] lqcgu <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\lqcgu@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\lqcgu@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lqcgu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lqcgu@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\lqcgu@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\lqcgu@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\lqcgu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\lqcgu@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----



Let me know if there's anything else I can do. I feel lost at the moment, the system is unusable.

EDIT: I'm getting countless XP Smart Security Popups (fake antivirus scans, threat reports, etc). I'm not sure if this is new or I have just not realised them amongst all the other popups before.

Edited by OrFloB, 28 April 2010 - 06:30 PM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 28 April 2010 - 06:35 PM

Hello

Try this and see if it works.
    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 28 April 2010 - 06:56 PM

That scanned fine, thank you! Both files are attached.

I must say how grateful I am for your continued support, fireman4it. Thanks!

Attached Files



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 28 April 2010 - 07:30 PM

Hello,

1.
We need to run an OTL Fix
  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"
    CODE
    :OTL
    PRC - [2010/04/28 23:59:32 | 000,096,768 | ---- | M] () -- C:\Documents and Settings\Kevin\Local Settings\temp\asd2.tmp.exe
    PRC - [2010/04/27 10:33:38 | 000,036,868 | -H-- | M] () -- C:\Documents and Settings\Kevin\Local Settings\temp\system .exe
    PRC - [2010/04/26 00:52:20 | 000,030,001 | -H-- | M] () -- C:\Documents and Settings\Kevin\Local Settings\temp\D7QTJH .exe
    PRC - [2010/04/26 00:52:10 | 000,205,824 | -HS- | M] () -- C:\Documents and Settings\Kevin\Local Settings\Application Data\ave.exe
    MOD - [2010/04/26 00:52:18 | 000,030,000 | ---- | M] () -- C:\WINDOWS\system32\xss88fye.dll
    O2 - BHO: (C:\WINDOWS\system32\xss88fye.dll) - {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - C:\WINDOWS\system32\xss88fye.dll ()
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {55FAF0F2-44D4-425F-B5F5-6B275B621EAB} - No CLSID value found.
    O4 - HKCU..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\Documents and Settings\Kevin\Local Settings\temp\system .exe ()
    O4 - HKCU..\Run: [hsf87sdhfush87fsufhuie3fddf] C:\Documents and Settings\Kevin\Local Settings\temp\D7QTJH .exe ()
    O4 - HKCU..\Run: [mcexecwin] C:\DOCUME~1\Kevin\LOCALS~1\Temp\q4488bzw.DLL File not found
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
    O22 - SharedTaskScheduler: {A2BA40A0-74F1-52BD-F411-00B15A2C8953} - kjsfi8sjefiuoshiefyhiusdhfdf - C:\WINDOWS\system32\xss88fye.dll ()
    37 - HKCU\...exe [@ = secfile] -- "C:\Documents and Settings\Kevin\Local Settings\Application Data\ave.exe" /START "%1" %* ()

    :processes
    killallprocesses


    :files
    C:\WINDOWS\System32\drivers\lqcgu.sys
    C:\Documents and Settings\Kevin\Local Settings\Application Data\45GGW
    C:\Documents and Settings\All Users\Application Data\45GGW
    C:\Documents and Settings\Kevin\Local Settings\Application Data\2933622510
    C:\Documents and Settings\All Users\Application Data\2933622510
    C:\WINDOWS\System32\xss88fye.dll
    C:\Documents and Settings\Kevin\Local Settings\Application Data\ave.exe
    C:\Documents and Settings\Kevin\Local Settings\temp\asd2.tmp.exe
    C:\Documents and Settings\Kevin\Local Settings\temp\system .exe
    C:\Documents and Settings\Kevin\Local Settings\temp\D7QTJH .exe
    At*.job

    :services
    lqcgu

    :Commands
    [RESETHOSTS]
    [CREATERESTOREPOINT]
  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.

2.
Please run New OTL scan and post those logs.


Things to include in your next reply:
OTL fix log
OTL.txt
Extra.txt
Can you now boot into Normal mode? Popups and redirects still there?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 28 April 2010 - 08:03 PM

Ran the fix, was requested to reboot and upon rebooting.

"Choose the program you want to use to open this file: OTL.exe"
This is echoed when I try to open any .exe file, The log hasn't been created because the scan didn't fully complete (OTL.exe couldn't reopen after reboot).

Where should I go from here?

EDIT: After googling a bit, I was able to find a registry fix for the .exe association problem. I am now able to run OTL, and have attached the log you requested (Extra.txt did not appear). I cannot include the OTLFix Log as mentioned previously, It was unable to complete because of the .exe problem.
System seems to be a bit more stable now, no XP Smart Security Popups at least. Firefox cannot display any pages (and starts in Offline mode?)

Attached Files

  • Attached File  OTL.Txt   136.42KB   5 downloads

Edited by OrFloB, 28 April 2010 - 08:41 PM.


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:41 AM

Posted 28 April 2010 - 08:41 PM

Hello,

I need to know what your machine is doing every time you post a log.
QUOTE
Can you now boot into Normal mode? Popups and redirects still there?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 OrFloB

OrFloB
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:41 AM

Posted 28 April 2010 - 08:46 PM

Sorry - I edited that in at the last moment after re-reading your post.

QUOTE
System seems to be a bit more stable now, no XP Smart Security Popups at least. Firefox cannot display any pages (and starts in Offline mode?)


As for being able to start in normal mode, yes, I can now (is not freezing up on using keyboard anymore).

Thanks again,

Ryan.

Edited by OrFloB, 28 April 2010 - 08:47 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users