Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by W32/Blaster


  • This topic is locked This topic is locked
24 replies to this topic

#1 psRyan

psRyan

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 06 September 2011 - 09:29 AM

My computer is infected.
A virus checker called Security Protection runs automatically. I have never seen it before.
I am not able to run most programs. I get a message that says they are infected by W32/Blaster worm. (ie. RKill, DDS, GMER, Notepad, etc)

I am able to run in Safe Mode and even then, the system is quite unstable.

When I run RKIll, it says 'Access Denied' and appears to hang. I just leave the Command window open.

After multiple attempts, I was able to run DDS. The dds.txt file is below and I have attached the attach.txt.

I have tried multiple times to run GMER. It runs for about 30 seconds and then I get the blue screen. I was able to read PAGE_FAULT_IN_NONPAGED_AREA.

I have tried to update MalwareBytes, but am unable to update the virus definitions. I have checked the Proxy settings and they are fine.

I am also unable to update AVG virus definitions. I can run AVG in Safe Mode but it does not clean the infections.

I have downloaded and run Defogger.

Thank you for your help!

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19088
Run by chris vargo at 18:01:16 on 2011-09-06
MicrosoftÆ Windows Vistaô Business 6.0.6001.1.1252.1.1033.18.2037.1229 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Freedom Scientific\JAWS\12.0\fsATProxy.exe
C:\Users\chris vargo\Desktop\rkill.com
C:\Windows\system32\net.exe
C:\Windows\system32\net1.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://planetpalmsprings.com/
uDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Security Protection] c:\programdata\defender.exe
uRun: [Google Update] "c:\users\chris vargo\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [AML] "c:\program files\sony\vaio av mode launcher\AML.exe" InitApp
mRun: [VAIO Center Access Bar] "c:\program files\sony\vaio center access bar\VCAB.exe"
mRun: [VAIOSecurity] "c:\program files\sony\vaio security center\VSC.exe" 1
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [SmartWiHelper] "c:\program files\sony corporation\smartwi connection utility\SmartWiHelper.exe" /WindowsStartup
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Skytel] Skytel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [compmgm] c:\windows\system32\config\systemprofile\appdata\local\compmgm.exe
mRun: [utilman] c:\windows\system32\config\systemprofile\appdata\local\utilman.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe.exe" /runcleanupscript
mRunOnce: [GrpConv] grpconv -o
dRun: [UYVCmBdwfK] c:\programdata\UYVCmBdwfK.exe
dRun: [QFHjnyOpVJm] c:\programdata\QFHjnyOpVJm.exe
dRun: [aAYlsTcGREvu] c:\programdata\aAYlsTcGREvu.exe
dRun: [AGlAyuQFiRVo] c:\programdata\AGlAyuQFiRVo.exe
dRun: [KkLVLHVFuGaOlb] c:\programdata\KkLVLHVFuGaOlb.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [1952046534] c:\windows\system32\config\systemprofile\appdata\local\qua.exe
dRunOnce: [kM06700FaEhP06700] c:\programdata\km06700faehp06700\kM06700FaEhP06700.exe
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Transfer by Image Converter 3 - c:\program files\sony\image converter 3\menu.htm
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522}
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.22.0.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3C78A294-619B-4FBF-ABE9-5373074D9864} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{90B80194-1F6A-4CF3-9B65-3A37CEA8764D} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: avgrsstx.dll
LSA: Notification Packages = scecli psqlpwd
Hosts: 95.64.61.141 www.google.com
Hosts: 95.64.61.142 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 BlackBox;BlackBox SR2;c:\windows\system32\drivers\BlackBox.sys [2011-8-16 35712]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2007-6-26 14720]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-23 243152]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-8-16 18816]
R3 NETwLv32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETwLv32.sys [2010-10-31 6639616]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-6-26 33792]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-23 216400]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-23 29584]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Freedom Scientific Kernel Manager;Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2011-8-10 20000]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-18 135664]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2007-9-27 5120]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 fsvidmir;fsvidmir;c:\windows\system32\drivers\fsvidmir.sys [2011-8-10 11808]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-18 135664]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\sony\image converter 3\ICScsiSV.exe [2007-7-17 75952]
S3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\sony\image converter 3\IcVzMonLauncher.exe [2007-7-17 67760]
S3 JTVNCProxy_10.0;JTVNCProxy; [x]
S3 JTVNCProxy_11.0;JTVNCProxy_11.0;c:\program files\freedom scientific\jaws\11.0\JTVNCProxy.exe [2009-10-21 16152]
S3 JTVNCProxy_12.0;JTVNCProxy_12.0;c:\program files\freedom scientific\jaws\12.0\JTVNCProxy.exe [2011-1-20 16152]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2006-11-28 92288]
S3 PowerBrl;powerBraille System Driver;c:\windows\system32\drivers\powerbrl.sys [2011-1-20 14880]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-6-26 75392]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-6-26 43904]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-6-25 31104]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2007-7-17 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2007-7-17 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2007-7-17 1089536]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-09-06 13:47:51 872876 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-09-06 13:41:35 0 ----a-w- c:\windows\system32\omrg.exe
2011-09-06 13:41:35 0 ----a-w- c:\windows\system32\nixw.exe
2011-09-06 13:41:35 0 ----a-w- c:\windows\system32\hcnu.exe
2011-09-06 13:41:35 0 ----a-w- c:\windows\system32\cltq.exe
2011-09-06 13:41:35 0 ----a-w- c:\programdata\wyom.exe
2011-09-06 13:41:35 0 ----a-w- c:\programdata\racq.exe
2011-09-06 13:41:35 0 ----a-w- c:\programdata\qoro.exe
2011-09-06 13:41:35 0 ----a-w- c:\programdata\jtsi.exe
2011-09-06 08:01:22 464384 ---ha-w- c:\programdata\KkLVLHVFuGaOlb.exe
2011-09-05 19:28:19 464384 ---ha-w- c:\programdata\AGlAyuQFiRVo.exe
2011-09-02 02:28:10 404480 ---ha-w- c:\programdata\aAYlsTcGREvu.exe
2011-08-19 22:18:30 -------- d--h--w- C:\System Repair
2011-08-19 22:18:09 312320 ---ha-w- c:\programdata\P1kAlMiG2Kb7Fz.exe
2011-08-19 21:58:13 391680 ---ha-w- c:\programdata\QFHjnyOpVJm.exe
2011-08-19 20:17:50 462848 ---ha-w- c:\programdata\UYVCmBdwfK.exe
2011-08-19 20:17:50 -------- d--h--w- c:\programdata\kM06700FaEhP06700
2011-08-16 23:42:04 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-16 20:24:01 53248 ---ha-w- c:\windows\system32\ciphecab.dll
2011-08-16 20:07:05 18816 ---h--w- c:\windows\system32\SAVRKBootTasks.sys
2011-08-16 18:34:14 -------- d--h--w- c:\program files\Sophos
2011-08-16 17:33:01 35712 ---ha-w- c:\windows\system32\drivers\BlackBox.sys
2011-08-16 10:01:15 -------- d--h--w- C:\def240b03d43ff29261d1ca289c2c1
2011-08-16 07:28:49 -------- d--h--w- c:\program files\Eusing Free Registry Cleaner
2011-08-16 07:23:48 438072330 ---ha-w- c:\windows\system32\HKCR.reg
2011-08-16 07:02:57 -------- d--h--w- c:\program files\Free Windows Registry Cleaner
2011-08-16 01:49:22 -------- d--h--w- c:\program files\Spybot - Search & Destroy(24)
2011-08-11 04:20:32 37144 ---ha-w- c:\windows\system32\drivers\fsbrldsp.sys
2011-08-11 03:54:34 98464 ---ha-w- c:\windows\system32\fsbrldspapi.dll
2011-08-11 02:20:10 11808 ---ha-w- c:\windows\system32\drivers\fsvidmir.sys
2011-08-11 02:19:44 119840 ---ha-w- c:\windows\system32\fsvidmir.dll
2011-08-11 02:18:56 24096 ---ha-w- c:\windows\system32\fskutil.dll
2011-08-11 02:18:30 20000 ---ha-w- c:\windows\system32\fsKMgr.dll
2011-08-11 02:17:20 108576 ---ha-w- c:\windows\system32\fsVidMag.dll
.
==================== Find3M ====================
.
2011-09-06 14:09:42 826880 ----a-w- c:\programdata\defender.exe
2011-09-06 05:07:38 831488 ---ha-w- c:\programdata\223F.tmp
2011-09-06 05:07:00 831488 ---ha-w- c:\programdata\1A91.tmp
2011-09-06 05:06:58 831488 ---ha-w- c:\programdata\8371.tmp
2011-09-06 04:32:13 831488 ---ha-w- c:\programdata\7C50.tmp
2011-09-06 03:56:12 831488 ---ha-w- c:\programdata\6A65.tmp
2011-09-06 03:55:28 831488 ---ha-w- c:\programdata\D2F7.tmp
2011-09-05 19:35:50 866304 ---ha-w- c:\programdata\2A3B.tmp
2011-09-02 03:20:37 830464 ---ha-w- c:\programdata\B911.tmp
2011-08-31 09:38:22 840192 ---ha-w- c:\programdata\B2CA.tmp
2011-08-31 09:19:20 842240 ---ha-w- c:\programdata\4E8C.tmp
2011-08-31 09:19:12 842240 ---ha-w- c:\programdata\F6BC.tmp
2011-08-27 20:48:06 813056 ---ha-w- c:\programdata\D7B8.tmp
2011-08-27 20:47:46 813056 ---ha-w- c:\programdata\21F6.tmp
2011-08-19 21:54:41 73 ---ha-w- c:\windows\system32\ssprs.dll
.
============= FINISH: 18:25:58.08 ===============

Attached Files


Edited by psRyan, 07 September 2011 - 09:26 AM.


BC AdBot (Login to Remove)

 


#2 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 08 September 2011 - 12:23 AM

I tried running TDSSKiller and it I was still not able to update MalwareBytes.

I forgot to mention that my Program list is empty.

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:14 AM

Posted 11 September 2011 - 09:30 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417709 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:14 AM

Posted 12 September 2011 - 05:48 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

I can see the infections quite easily. Trying to run tools on them without knowing what you're up against means that the rootkit which is conducting this attack is able to disable them as it goes.

Please run the following rootkit scanners

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

And

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 September 2011 - 10:12 PM

I am here and will run the scans and reply with the logs. Thanks!

#6 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 12 September 2011 - 10:22 PM

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-12 20:17:26
-----------------------------
20:17:26.438 OS Version: Windows 6.0.6001 Service Pack 1
20:17:26.438 Number of processors: 2 586 0xF02
20:17:26.438 ComputerName: CHRISVARGO-PC UserName: chris vargo
20:17:26.891 Initialize success
20:17:42.413 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:17:42.413 Disk 0 Vendor: TOSHIBA_MK1011GAH BK002A Size: 95396MB BusType: 3
20:17:42.413 Disk 1 \Device\Harddisk1\DR1 -> \Device\000000d4
20:17:42.428 Disk 1 Vendor: RICOH 01 Size: 95396MB BusType: 0
20:17:42.444 Disk 2 \Device\Harddisk2\DR2 -> \Device\000000dd
20:17:42.444 Disk 2 Vendor: RICOH 02 Size: 95396MB BusType: 0
20:17:44.487 Disk 0 MBR read successfully
20:17:44.487 Disk 0 MBR scan
20:17:44.487 Disk 0 Windows VISTA default MBR code
20:17:44.487 Disk 0 scanning sectors +195369520
20:17:44.597 Disk 0 scanning C:\Windows\system32\drivers
20:17:55.267 Service scanning
20:17:59.651 Modules scanning
20:18:04.409 Disk 0 trace - called modules:
20:18:04.455 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
20:18:04.455 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8717f030]
20:18:04.471 3 CLASSPNP.SYS[8a1b6745] -> nt!IofCallDriver -> [0x867e3348]
20:18:04.471 5 acpi.sys[848996a0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x867e4030]
20:18:04.471 Scan finished successfully
20:18:56.388 Disk 0 MBR has been saved successfully to "C:\Users\chris vargo\Desktop\MBR.dat"
20:18:56.419 The log file has been saved successfully to "C:\Users\chris vargo\Desktop\aswMBR.txt"




MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Business Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: Sony Corporation
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Sony Corporation
System Product Name: VGN-TZ170N
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 102):
0x83E4F000 \SystemRoot\system32\ntkrnlpa.exe
0x83E1C000 \SystemRoot\system32\hal.dll
0x80609000 \SystemRoot\system32\kdcom.dll
0x80611000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80671000 \SystemRoot\system32\PSHED.dll
0x80682000 \SystemRoot\system32\BOOTVID.dll
0x8068A000 \SystemRoot\system32\CLFS.SYS
0x806CB000 \SystemRoot\system32\CI.dll
0x807AB000 \SystemRoot\System32\Drivers\BlackBox.sys
0x84808000 \SystemRoot\system32\drivers\Wdf01000.sys
0x84884000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x84891000 \SystemRoot\system32\drivers\acpi.sys
0x848D7000 \SystemRoot\system32\drivers\WMILIB.SYS
0x848E0000 \SystemRoot\system32\drivers\msisadrv.sys
0x848E8000 \SystemRoot\system32\drivers\pci.sys
0x8490F000 \SystemRoot\System32\drivers\partmgr.sys
0x8491E000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x84921000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8492B000 \SystemRoot\system32\drivers\volmgr.sys
0x8493A000 \SystemRoot\System32\drivers\volmgrx.sys
0x84984000 \SystemRoot\system32\drivers\intelide.sys
0x8498B000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x84999000 \SystemRoot\system32\DRIVERS\pcmcia.sys
0x849C6000 \SystemRoot\System32\drivers\mountmgr.sys
0x849D6000 \SystemRoot\system32\drivers\atapi.sys
0x849DE000 \SystemRoot\system32\drivers\ataport.SYS
0x807B4000 \SystemRoot\system32\drivers\fltmgr.sys
0x807E6000 \SystemRoot\system32\drivers\fileinfo.sys
0x807F6000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x84A04000 \SystemRoot\System32\Drivers\ksecdd.sys
0x84A75000 \SystemRoot\system32\drivers\ndis.sys
0x84B80000 \SystemRoot\system32\drivers\msrpc.sys
0x84BAB000 \SystemRoot\system32\drivers\NETIO.SYS
0x89E00000 \SystemRoot\System32\drivers\tcpip.sys
0x89EE9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A007000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A116000 \SystemRoot\system32\drivers\volsnap.sys
0x8A157000 \SystemRoot\system32\DRIVERS\shpf.sys
0x8A15B000 \SystemRoot\system32\DRIVERS\risdptsk.sys
0x8A16A000 \SystemRoot\System32\Drivers\mup.sys
0x8A179000 \SystemRoot\System32\drivers\ecache.sys
0x8A1A0000 \SystemRoot\system32\drivers\disk.sys
0x8A1B1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A1D2000 \SystemRoot\system32\drivers\crcdisk.sys
0x89F04000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x89F16000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x89F21000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x89F5F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x89F6E000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x89F7E000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x89F8C000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0x89FA6000 \SystemRoot\system32\DRIVERS\SonyPI.sys
0x8A000000 \SystemRoot\System32\Drivers\SonyNC.sys
0x89FAF000 \SystemRoot\system32\drivers\tpm.sys
0x89FBD000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x89FD0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8E20F000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x8E237000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8E242000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E270000 \SystemRoot\system32\DRIVERS\storport.sys
0x8E2B1000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E2BC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8E345000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E355000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8E357000 \SystemRoot\system32\DRIVERS\ks.sys
0x8E381000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0x8E3AC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E3B6000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8E3C3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8E200000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x89FDB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E3F7000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8E3FE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8E209000 \??\C:\Windows\system32\SAVRKBootTasks.sys
0x8A14F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x89FEB000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x84BE5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x84BEE000 \SystemRoot\System32\Drivers\Null.SYS
0x84BF5000 \SystemRoot\System32\Drivers\Beep.SYS
0x8EA06000 \SystemRoot\System32\drivers\vga.sys
0x8EA12000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8EA33000 \SystemRoot\System32\drivers\watchdog.sys
0x8EA41000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8EA59000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8EA65000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8EA73000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0x8EA7A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8EA91000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8EA9E000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8EAA9000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x98230000 \SystemRoot\System32\win32k.sys
0x8EAB1000 \SystemRoot\System32\drivers\Dxapi.sys
0x98440000 \SystemRoot\System32\drivers\dxg.sys
0x98470000 \SystemRoot\System32\TSDDD.dll
0x984F0000 \SystemRoot\System32\framebuf.dll
0x98500000 \SystemRoot\System32\ATMFD.DLL
0x8EABB000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x8EAD1000 \??\C:\Users\CHRISV~1\AppData\Local\Temp\mbr.sys
0x8EAD8000 \??\C:\Users\CHRISV~1\AppData\Local\Temp\axldapow.sys
0x8EAF1000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8EB19000 \??\C:\Users\CHRISV~1\AppData\Local\Temp\aswMBR.sys
0x77AB0000 \Windows\System32\ntdll.dll

Processes (total 19):
0 System Idle Process
4 System
352 C:\Windows\System32\smss.exe
476 csrss.exe
512 csrss.exe
520 C:\Windows\System32\wininit.exe
564 C:\Windows\System32\winlogon.exe
584 C:\Windows\System32\services.exe
616 C:\Windows\System32\lsass.exe
624 C:\Windows\System32\lsm.exe
772 C:\Windows\System32\svchost.exe
832 C:\Windows\System32\svchost.exe
916 C:\Windows\System32\svchost.exe
940 C:\Windows\System32\svchost.exe
996 C:\Windows\System32\svchost.exe
1280 C:\Windows\explorer.exe
1320 C:\Program Files\Freedom Scientific\JAWS\12.0\fsATProxy.exe
620 C:\Windows\System32\svchost.exe
1180 C:\Users\chris vargo\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f5400000 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1011GAH, Rev: BK002A

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:14 AM

Posted 13 September 2011 - 01:56 PM

They are reading clean so please next run Combofix, if there's any sign of the Blaster worm that should remove it

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 September 2011 - 11:09 PM

ComboFix ran successfully. My Program list is back.
When I click on Internet Explorer it says "Illegal operation attempted on a registry key that has been marked for deletion."
Same with MS Outlook, Word and when I clicked on Safely Remove Hardware to remove my flash drive.


ComboFix 11-09-13.04 - chris vargo 09/13/2011 19:59:24.1.2 - x86 NETWORK
MicrosoftĂ Windows Vista˘ Business 6.0.6001.1.1252.1.1033.18.2037.1540 [GMT -7:00]
Running from: c:\users\chris vargo\Desktop\comfix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\1A91.tmp
c:\programdata\21F6.tmp
c:\programdata\223F.tmp
c:\programdata\2A3B.tmp
c:\programdata\4E8C.tmp
c:\programdata\6A65.tmp
c:\programdata\7C50.tmp
c:\programdata\8371.tmp
c:\programdata\aAYlsTcGREvu.exe
c:\programdata\AGlAyuQFiRVo.exe
c:\programdata\B2CA.tmp
c:\programdata\B911.tmp
c:\programdata\D2F7.tmp
c:\programdata\D7B8.tmp
c:\programdata\defender.exe
c:\programdata\F6BC.tmp
c:\programdata\jtsi.exe
c:\programdata\KkLVLHVFuGaOlb.exe
c:\programdata\kM06700FaEhP06700
c:\programdata\kM06700FaEhP06700\kM06700FaEhP06700
c:\programdata\kM06700FaEhP06700\kM06700FaEhP06700.exe
c:\programdata\P1kAlMiG2Kb7Fz.exe
c:\programdata\QFHjnyOpVJm.exe
c:\programdata\qoro.exe
c:\programdata\racq.exe
c:\programdata\UYVCmBdwfK.exe
c:\programdata\wyom.exe
c:\users\chris vargo\AppData\Local\ApplicationHistory
c:\users\chris vargo\AppData\Local\ApplicationHistory\launch_AOL_MFU.exe.200ad36a.ini
c:\users\chris vargo\AppData\Local\ApplicationHistory\VAIO Status Monitor.exe.729efb2f.ini
c:\users\chris vargo\AppData\Roaming\Suziak
c:\users\chris vargo\AppData\Roaming\Suziak\peow.ahw
c:\users\chris vargo\Documents\~WRL3210.tmp
c:\users\chris vargo\g2mdlhlpx.exe
c:\users\Public\Desktop\Security Protection.lnk
c:\users\Public\Documents\s
c:\users\Public\Documents\win32.dll
c:\windows\expl.dat
c:\windows\SSCE5432.DLL
c:\windows\system32\cltq.exe
c:\windows\system32\comct332.ocx
c:\windows\system32\hcnu.exe
c:\windows\system32\nixw.exe
c:\windows\system32\omrg.exe
c:\windows\system32\ssprs.dll
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\comfix26312c\HarddiskVolumeShadowCopy8_!Windows!System32!winlogon.exe
.
c:\windows\system32\svchost.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
c:\windows\explorer.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\comfix26312c\HarddiskVolumeShadowCopy8_!Windows!System32!svchost.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\comfix26312c\HarddiskVolumeShadowCopy8_!Windows!System32!winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 03:09 . 2011-09-14 03:13 -------- d-----w- c:\users\chris vargo\AppData\Local\temp
2011-09-14 03:09 . 2011-09-14 03:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-14 02:45 . 2011-09-14 02:45 -------- d-----w- C:\comfix
2011-09-06 13:47 . 2011-09-07 04:15 872876 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-08-19 22:18 . 2011-08-19 22:18 -------- d-----w- C:\System Repair
2011-08-16 23:42 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-16 20:24 . 2011-08-16 20:24 53248 ---ha-w- c:\windows\system32\ciphecab.dll
2011-08-16 20:07 . 2011-05-12 21:05 18816 ---h--w- c:\windows\system32\SAVRKBootTasks.sys
2011-08-16 18:34 . 2011-08-16 18:34 -------- d--h--w- c:\program files\Sophos
2011-08-16 17:33 . 2011-08-16 17:33 35712 ---ha-w- c:\windows\system32\drivers\BlackBox.sys
2011-08-16 10:01 . 2011-08-16 10:07 -------- d-----w- C:\def240b03d43ff29261d1ca289c2c1
2011-08-16 07:28 . 2011-08-16 07:36 -------- d--h--w- c:\program files\Eusing Free Registry Cleaner
2011-08-16 07:23 . 2011-08-16 07:24 438072330 ---ha-w- c:\windows\system32\HKCR.reg
2011-08-16 07:02 . 2011-08-16 07:02 -------- d--h--w- c:\program files\Free Windows Registry Cleaner
2011-08-16 01:49 . 2011-08-16 01:52 -------- d--h--w- c:\program files\Spybot - Search & Destroy(24)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-11 04:20 . 2011-08-11 04:20 37144 ---ha-w- c:\windows\system32\drivers\fsbrldsp.sys
2011-08-11 03:54 . 2011-08-11 03:54 98464 ---ha-w- c:\windows\system32\fsbrldspapi.dll
2011-08-11 02:20 . 2011-08-11 02:20 11808 ---ha-w- c:\windows\system32\drivers\fsvidmir.sys
2011-08-11 02:19 . 2011-08-11 02:19 119840 ---ha-w- c:\windows\system32\fsvidmir.dll
2011-08-11 02:18 . 2011-08-11 02:18 24096 ---ha-w- c:\windows\system32\fskutil.dll
2011-08-11 02:18 . 2011-08-11 02:18 20000 ---ha-w- c:\windows\system32\fsKMgr.dll
2011-08-11 02:17 . 2011-08-11 02:17 108576 ---ha-w- c:\windows\system32\fsVidMag.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 20:41 2857984 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 20:41 2857984 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-22 4399104]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-04-17 321656]
"AML"="c:\program files\Sony\VAIO AV Mode Launcher\AML.exe" [2007-04-11 1241088]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-03-06 36864]
"VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2007-03-14 2322432]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2007-05-20 65536]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2007-01-14 520192]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2007-02-08 411768]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-09 118784]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-03-14 2071904]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Skytel"="Skytel.exe" [2007-03-22 1822720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe.exe" [2009-09-10 1312080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 20:28 90112 ---ha-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-04-04 15:33 98304 ---ha-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 22:18 267048 ---ha-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-03 17:50 68856 ---ha-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 135664]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 135664]
R3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\Image Converter 3\ICScsiSV.exe [2007-01-26 75952]
R3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\Image Converter 3\IcVzMonLauncher.exe [2007-01-26 67760]
R3 JTVNCProxy_10.0;JTVNCProxy; [x]
R3 JTVNCProxy_11.0;JTVNCProxy_11.0;c:\program files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe [2009-10-22 16152]
R3 JTVNCProxy_12.0;JTVNCProxy_12.0;c:\program files\Freedom Scientific\JAWS\12.0\JTVNCProxy.exe [2011-01-21 16152]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DB8F.tmp [x]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2006-11-28 92288]
R3 PowerBrl;powerBraille System Driver;c:\windows\system32\Drivers\powerbrl.sys [2011-01-21 14880]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-01-09 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-01-16 1089536]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 BlackBox;BlackBox SR2; [x]
S0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\DRIVERS\shpf.sys [2007-03-19 14720]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2011-05-12 243152]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-05-12 18816]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
S2 Freedom Scientific Kernel Manager;Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2011-08-11 20000]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-01-05 5120]
S3 fsvidmir;fsvidmir;c:\windows\system32\DRIVERS\fsvidmir.sys [2011-08-11 11808]
S3 NETwLv32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-10-07 6639616]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-04-04 75392]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-04-04 43904]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2007-04-05 31104]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2006-10-25 33792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-09 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]
.
2011-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-03 18:45]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 01:39]
.
2011-09-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 01:39]
.
2011-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3058439592-1775151851-1966501762-1006Core.job
- c:\users\chris vargo\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-06 16:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://planetpalmsprings.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Transfer by Image Converter 3 - c:\program files\Sony\Image Converter 3\menu.htm
TCP: DhcpNameServer = 192.168.0.1
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-UYVCmBdwfK - c:\programdata\UYVCmBdwfK.exe
HKU-Default-Run-QFHjnyOpVJm - c:\programdata\QFHjnyOpVJm.exe
HKU-Default-Run-aAYlsTcGREvu - c:\programdata\aAYlsTcGREvu.exe
HKU-Default-Run-AGlAyuQFiRVo - c:\programdata\AGlAyuQFiRVo.exe
HKU-Default-Run-KkLVLHVFuGaOlb - c:\programdata\KkLVLHVFuGaOlb.exe
HKU-Default-RunOnce-kM06700FaEhP06700 - c:\programdata\kM06700FaEhP06700\kM06700FaEhP06700.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DB8F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(924)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
- - - - - - - > 'Explorer.exe'(5132)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Protector Suite QL\upeksvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\igfxext.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\rundll32.exe
c:\program files\Sony\VAIO Power Management\OPT Drive Power Saving.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\WerCon.exe
c:\program files\Freedom Scientific\JAWS\12.0\fsATProxy.exe
c:\windows\system32\RacAgent.exe
.
**************************************************************************
.
Completion time: 2011-09-13 20:36:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 03:33
.
Pre-Run: 31,332,466,688 bytes free
Post-Run: 34,917,117,952 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - AC19784D88BECB7D4F9CC87AC5DFD128

#9 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 13 September 2011 - 11:28 PM

More information: Although the Programs list is not empty, the majority of the program groups are.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:14 AM

Posted 14 September 2011 - 05:38 PM

Please reboot. Combofix still has some things to do.

Let me know when you have
Posted Image
m0le is a proud member of UNITE

#11 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 14 September 2011 - 08:31 PM

I have rebooted. The program groups are not empty. I am able to run the programs that I was not able to before. The system is extremely slow!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:14 AM

Posted 15 September 2011 - 04:32 PM

Please rerun Combofix. I need to see that there are no further system file infections
Posted Image
m0le is a proud member of UNITE

#13 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 16 September 2011 - 12:42 AM

ComboFix 11-09-15.05 - chris vargo 09/15/2011 17:55:56.1.2 - x86
MicrosoftĂ Windows Vista˘ Business 6.0.6001.1.1252.1.1033.18.2037.912 [GMT -7:00]
Running from: c:\users\chris vargo\Desktop\comfix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ssprs.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
.
.
2011-09-16 01:13 . 2011-09-16 01:14 -------- d-----w- c:\users\chris vargo\AppData\Local\temp
2011-09-16 01:13 . 2011-09-16 01:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-15 01:19 . 2011-09-15 01:19 -------- d-----w- c:\windows\system32\EventProviders
2011-09-14 02:45 . 2011-09-14 02:45 -------- d-----w- C:\comfix
2011-09-06 13:47 . 2011-09-07 04:15 872876 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-08-19 22:18 . 2011-08-19 22:18 -------- d-----w- C:\System Repair
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-14 04:18 . 2009-09-23 21:38 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-08-16 20:24 . 2011-08-16 20:24 53248 ----a-w- c:\windows\system32\ciphecab.dll
2011-08-16 17:33 . 2011-08-16 17:33 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-08-16 07:24 . 2011-08-16 07:23 438072330 ----a-w- c:\windows\system32\HKCR.reg
2011-08-11 04:20 . 2011-08-11 04:20 37144 ----a-w- c:\windows\system32\drivers\fsbrldsp.sys
2011-08-11 03:54 . 2011-08-11 03:54 98464 ----a-w- c:\windows\system32\fsbrldspapi.dll
2011-08-11 02:20 . 2011-08-11 02:20 11808 ----a-w- c:\windows\system32\drivers\fsvidmir.sys
2011-08-11 02:19 . 2011-08-11 02:19 119840 ----a-w- c:\windows\system32\fsvidmir.dll
2011-08-11 02:18 . 2011-08-11 02:18 24096 ----a-w- c:\windows\system32\fskutil.dll
2011-08-11 02:18 . 2011-08-11 02:18 20000 ----a-w- c:\windows\system32\fsKMgr.dll
2011-08-11 02:17 . 2011-08-11 02:17 108576 ----a-w- c:\windows\system32\fsVidMag.dll
2011-07-06 14:56 . 2011-08-16 23:42 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 20:41 2857984 ----a-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-22 4399104]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-04-17 321656]
"AML"="c:\program files\Sony\VAIO AV Mode Launcher\AML.exe" [2007-04-11 1241088]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-03-06 36864]
"VAIOSecurity"="c:\program files\Sony\VAIO Security Center\VSC.exe" [2007-03-14 2322432]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-01-05 49168]
"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2007-05-20 65536]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2007-01-14 520192]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2007-02-08 411768]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-09 118784]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2011-09-14 2076512]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Skytel"="Skytel.exe" [2007-03-22 1822720]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-18 133656]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe.exe" [2009-09-10 1312080]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-01-05 20:28 90112 ----a-w- c:\windows\System32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-04-04 15:33 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-02-04 22:18 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-08-03 17:50 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 135664]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-03-01 183560]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 135664]
R3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\Image Converter 3\ICScsiSV.exe [2007-01-26 75952]
R3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\Image Converter 3\IcVzMonLauncher.exe [2007-01-26 67760]
R3 JTVNCProxy_10.0;JTVNCProxy; [x]
R3 JTVNCProxy_11.0;JTVNCProxy_11.0;c:\program files\Freedom Scientific\JAWS\11.0\JTVNCProxy.exe [2009-10-22 16152]
R3 JTVNCProxy_12.0;JTVNCProxy_12.0;c:\program files\Freedom Scientific\JAWS\12.0\JTVNCProxy.exe [2011-01-21 16152]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\DB8F.tmp [x]
R3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2006-11-28 92288]
R3 PowerBrl;powerBraille System Driver;c:\windows\system32\Drivers\powerbrl.sys [2011-01-21 14880]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-01-09 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-01-16 1089536]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 BlackBox;BlackBox SR2; [x]
S0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\DRIVERS\shpf.sys [2007-03-19 14720]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-16 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2011-05-12 243152]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-05-12 18816]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-16 308136]
S2 Freedom Scientific Kernel Manager;Freedom Scientific Kernel Manager;c:\windows\system32\fsKMgr.dll [2011-08-11 20000]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-01-05 5120]
S3 fsvidmir;fsvidmir;c:\windows\system32\DRIVERS\fsvidmir.sys [2011-08-11 11808]
S3 NETwLv32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwLv32.sys [2010-10-07 6639616]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-04-04 75392]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-04-04 43904]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2007-04-05 31104]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2006-10-25 33792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-09 c:\windows\Tasks\DriverCure.job
- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-08-07 19:36]
.
2011-09-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-03 18:45]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 01:39]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 01:39]
.
2011-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3058439592-1775151851-1966501762-1006Core.job
- c:\users\chris vargo\AppData\Local\Google\Update\GoogleUpdate.exe [2011-09-06 16:17]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://planetpalmsprings.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Transfer by Image Converter 3 - c:\program files\Sony\Image Converter 3\menu.htm
TCP: DhcpNameServer = 192.168.0.1
.
.
------- File Associations -------
.
.txt=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-15 18:14
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\DB8F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-09-15 18:23:24
ComboFix-quarantined-files.txt 2011-09-16 01:23
ComboFix2.txt 2011-09-14 03:36
.
Pre-Run: 37,583,785,984 bytes free
Post-Run: 37,488,668,672 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 3B88D71B06B2549F340298C23C6FBD4C

#14 psRyan

psRyan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 16 September 2011 - 12:44 AM

I'm going to a conference this weekend. Back on Sunday afternoon. Thanks so much for you help!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:14 AM

Posted 17 September 2011 - 06:01 AM

Hope the conference went well. Please scan with ESET next

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.



Now please scan with OTL

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users