View Full Version : My Laptop has the deewoo virus can anyone help
gpcurran
2008-11-04, 16:41
Hi My laptop has the deewoo virus
i have tried running windows in safe mode and deleting system32 but this did not fix te problem
here is the hijackthis scan
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:26, on 04/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Kenny\Application Data\Microsoft\Windows\lsass.exe
C:\windows\system32\jownw64s.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\lcntpkdm.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\prun.exe
C:\WINDOWS\S2Vubnk\command.exe
C:\Documents and Settings\Kenny\Application Data\gadcom\gadcom.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-vaio.sony-europe.com/
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [{7E-E3-37-77-DW}] C:\windows\system32\jownw64s.exe DWmmm01
O4 - HKLM\..\Run: [qqlydcuxngxviv] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\dgrrvpgnknvzy.dll"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntpkdm.exe DWmmm01
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [84b7e3d8] rundll32.exe "C:\WINDOWS\system32\prefnobx.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Kenny\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Policies\Explorer\Run: [Lsass Service] C:\Documents and Settings\Kenny\Application Data\Microsoft\Windows\lsass.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jownw64s.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: RDPlatinum v5.lnk = C:\Program Files\Angle Interactive\RD Platinum v5.0\RDPlatinumv5.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O20 - AppInit_DLLs: ncuwsb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S2Vubnk\command.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
--
End of file - 11174 bytes
Thank you in advance for any help you can give, i is much appericated
Hello gpcurran
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your personal data before starting any clean up procedure.
system32 <-- If you delete this folder you will wind up reinstalling Windows, please do not delete anything unless directed by this forum.
You have a handful of infections on this system, lets go get them.
This tool needs to be run from Safemode to be effective so download it to your desktop then boot to Safemode to run it
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
gpcurran
2008-11-05, 17:55
Thank you so much for your help i have done what you said
here is the SDfix report
SDFix: Version 1.239
Run by Administrator on 05/11/2008 at 16:15
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Name :
cmdService
Network Monitor
Path :
C:\WINDOWS\S2Vubnk\command.exe
C:\Program Files\Network Monitor\netmon.exe service
cmdService - Deleted
Network Monitor - Deleted
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\dgrrvpgnknvzy.dll - Deleted
C:\WINDOWS\system32\hhbzfsjzrligasp.exe - Deleted
C:\WINDOWS\S2Vubnk\asappsrv.dll - Deleted
C:\WINDOWS\S2Vubnk\command.exe - Deleted
C:\WINDOWS\S2Vubnk\mZpRvB4.vbs - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed
Folder C:\Temp\1cb - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-05 16:28:13
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 4 Nov 2008 60,928 A.SH. --- "C:\WINDOWS\system32\xxyXOihh.dll"
Tue 4 Nov 2008 60,928 A.SH. --- "C:\WINDOWS\system32\xxyywvVN.dll"
Tue 4 Nov 2008 65,024 ..SH. --- "C:\Documents and Settings\Kenny\Application Data\Microsoft\Windows\lsass.exe"
Wed 5 Nov 2008 20,992 ..SH. --- "C:\Documents and Settings\Kenny\Application Data\Microsoft\Windows\sys32.dll"
Finished!
and here the the new hijackthis report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37:14, on 05/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\prun.exe
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
c:\windows\system32\dwwnw64r.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kenny\Application Data\gadcom\gadcom.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\lcntpkdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-vaio.sony-europe.com/
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [{7E-E3-37-77-DW}] c:\windows\system32\dwwnw64r.exe DWmmm01
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Kenny\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntpkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O20 - AppInit_DLLs: wuwwsg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
--
End of file - 9856 bytes
Thanks again
Hello,
Good job but more to do.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
gpcurran
2008-11-06, 13:32
Thanks again for all your help
ComboFix 08-11-05.02 - Kenny 2008-11-06 11:16:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.229 [GMT 0:00]
Running from: c:\documents and settings\Kenny\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Kenny\LOCALS~1\Temp\prun.exe
c:\docume~1\Kenny\LOCALS~1\Temp\snapsnet.exe
c:\docume~1\Kenny\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Kenny\Application Data\gadcom
c:\documents and settings\Kenny\Application Data\gadcom\gadcom.exe
c:\documents and settings\Kenny\Application Data\Microsoft\Windows\lsass.exe
c:\documents and settings\Kenny\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Kenny\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Kenny\Start Menu\Programs\Startup\DW_Start.lnk
c:\windows\system32\ctdffqsu.dll
c:\windows\system32\dwwnw64r.exe
c:\windows\system32\efcDvuuS.dll
c:\windows\system32\gside.exe
c:\windows\system32\gsoummfn.ini
c:\windows\system32\hptyqeuk.dll
c:\windows\system32\hvdjsian.dll
c:\windows\system32\iidlnbnx.dll
c:\windows\system32\jownw64s.exe
c:\windows\system32\lcntpkdm.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\MSINET.oca
c:\windows\system32\msnav32.ax
c:\windows\system32\ncuwsb.dll
c:\windows\system32\nfmmuosg.dll
c:\windows\system32\nnnlklKc.dll
c:\windows\system32\rqRKEtRH.dll
c:\windows\system32\SuuvDcfe.ini
c:\windows\system32\SuuvDcfe.ini2
c:\windows\system32\tksjwbfc.dll
c:\windows\system32\uokaqj.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\wuwwsg.dll
c:\windows\system32\xbonferp.ini
c:\windows\system32\yrsgywvy.ini
c:\windows\system32\yvwygsry.dll
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\jktkxzqf.job
----- BITS: Possible infected sites -----
hxxp://kakoitodomen.com
.
((((((((((((((((((((((((( Files Created from 2008-10-06 to 2008-11-06 )))))))))))))))))))))))))))))))
.
2008-11-05 18:23 . 2008-11-06 10:09 77,895 --a------ c:\windows\system32\hhbzfsjzrligasp.exe
2008-11-05 16:46 . 2008-11-05 16:46 90,915 --a------ c:\windows\system32\zaugzscjqes.dll-uninst.exe
2008-11-05 16:18 . 2008-11-05 16:18 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-05 16:13 . 2008-11-05 16:13 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-05 16:07 . 2008-11-05 16:07 <DIR> d-------- c:\windows\ERUNT
2008-11-05 15:56 . 2008-11-05 16:34 <DIR> d-------- C:\SDFix
2008-11-05 14:38 . 2008-11-05 14:38 20,992 --ahs---- c:\windows\system32\c00762AC.mat
2008-11-04 14:48 . 2008-11-04 14:48 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 13:48 . 2008-11-04 13:48 60,928 --ahs---- c:\windows\system32\xxyywvVN.dll
2008-11-04 13:46 . 2004-04-13 12:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-04 13:46 . 2004-04-15 01:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Corporation
2008-11-04 13:46 . 2008-11-04 13:46 <DIR> d-------- c:\documents and settings\Administrator
2008-11-04 13:19 . 2008-11-04 13:19 <DIR> d-------- C:\ProgramData
2008-11-04 13:19 . 2008-11-05 14:44 <DIR> d-------- c:\program files\Angle Interactive
2008-11-04 12:58 . 2008-11-04 12:58 153,484 --a------ c:\windows\system32\g20.exe
2008-11-04 12:49 . 2008-11-04 12:49 20,992 --ahs---- c:\windows\system32\c006634.mat
2008-11-04 12:46 . 2008-11-05 16:22 <DIR> d-------- c:\windows\S2Vubnk
2008-11-04 12:45 . 2008-11-04 12:46 <DIR> d-------- c:\windows\system32\tw32
2008-11-04 12:45 . 2008-11-04 12:45 <DIR> d-------- c:\windows\system32\rt
2008-11-04 12:45 . 2008-11-04 12:45 <DIR> d-------- c:\windows\system32\iNET
2008-11-04 12:45 . 2008-11-04 12:45 189,941 --a------ c:\temp\mdHP614.exe
2008-11-04 12:45 . 2008-11-04 12:45 60,928 --ahs---- c:\windows\system32\xxyXOihh.dll
2008-11-04 12:44 . 2008-11-04 12:44 <DIR> d-------- c:\windows\system32\QI19
2008-11-04 12:44 . 2008-11-04 12:45 <DIR> d-------- c:\temp\NT32
2008-11-04 12:44 . 2008-11-05 16:28 <DIR> d-------- C:\Temp
2008-11-04 12:44 . 2008-11-04 12:44 34,816 --a------ c:\windows\system32\prun.exe
2008-11-01 09:38 . 2008-11-01 09:38 178,176 --a------ c:\windows\system32\dgrrvpgnknvzy.dll
2008-11-01 06:28 . 2008-11-01 06:28 268 --ah----- C:\sqmdata10.sqm
2008-11-01 06:28 . 2008-11-01 06:28 244 --ah----- C:\sqmnoopt10.sqm
2008-10-31 21:46 . 2008-10-31 21:46 268 --ah----- C:\sqmdata09.sqm
2008-10-31 21:46 . 2008-10-31 21:46 244 --ah----- C:\sqmnoopt09.sqm
2008-10-31 12:38 . 2008-10-31 12:38 268 --ah----- C:\sqmdata08.sqm
2008-10-31 12:38 . 2008-10-31 12:38 244 --ah----- C:\sqmnoopt08.sqm
2008-10-30 23:19 . 2008-10-30 23:19 268 --ah----- C:\sqmdata07.sqm
2008-10-30 23:19 . 2008-10-30 23:19 244 --ah----- C:\sqmnoopt07.sqm
2008-10-30 20:38 . 2008-10-30 20:38 268 --ah----- C:\sqmdata06.sqm
2008-10-30 20:38 . 2008-10-30 20:38 244 --ah----- C:\sqmnoopt06.sqm
2008-10-30 19:09 . 2008-10-30 19:09 268 --ah----- C:\sqmdata05.sqm
2008-10-30 19:09 . 2008-10-30 19:09 244 --ah----- C:\sqmnoopt05.sqm
2008-10-30 14:31 . 2008-10-30 14:31 268 --ah----- C:\sqmdata04.sqm
2008-10-30 14:31 . 2008-10-30 14:31 244 --ah----- C:\sqmnoopt04.sqm
2008-10-29 22:45 . 2008-10-29 22:45 268 --ah----- C:\sqmdata03.sqm
2008-10-29 22:45 . 2008-10-29 22:45 244 --ah----- C:\sqmnoopt03.sqm
2008-10-29 18:00 . 2008-10-29 18:00 268 --ah----- C:\sqmdata02.sqm
2008-10-29 18:00 . 2008-10-29 18:00 244 --ah----- C:\sqmnoopt02.sqm
2008-10-29 17:09 . 2008-10-29 17:09 268 --ah----- C:\sqmdata01.sqm
2008-10-29 17:09 . 2008-10-29 17:09 244 --ah----- C:\sqmnoopt01.sqm
2008-10-28 22:05 . 2008-10-28 22:05 268 --ah----- C:\sqmdata00.sqm
2008-10-28 22:05 . 2008-10-28 22:05 244 --ah----- C:\sqmnoopt00.sqm
2008-10-24 08:56 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-20 13:36 . 2007-07-30 18:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-20 13:36 . 2007-07-30 18:19 207,736 --a------ c:\windows\system32\muweb.dll
2008-10-20 13:36 . 2007-07-30 18:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-19 22:23 . 2008-10-19 22:26 <DIR> d-------- c:\program files\Windows Live Toolbar
2008-10-19 22:22 . 2008-10-19 22:22 <DIR> d-------- c:\program files\Windows Live Favorites
2008-10-19 22:19 . 2008-11-03 23:35 <DIR> d-------- c:\documents and settings\Kenny\Contacts
2008-10-19 22:04 . 2008-10-19 22:12 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-10-19 22:03 . 2008-10-19 22:16 <DIR> d-------- c:\program files\Windows Live
2008-10-19 22:03 . 2008-10-19 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-19 21:41 . 2008-10-19 21:41 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Apple Computer
2008-10-19 21:40 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-10-19 21:40 . 2008-04-17 12:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-10-19 21:39 . 2008-10-19 21:40 <DIR> d-------- c:\program files\iTunes
2008-10-19 21:39 . 2008-10-19 21:39 <DIR> d-------- c:\program files\iPod
2008-10-19 21:39 . 2008-10-19 21:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-19 21:37 . 2008-10-19 21:38 <DIR> d-------- c:\program files\QuickTime
2008-10-19 21:37 . 2008-10-19 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-19 21:35 . 2008-10-19 21:35 <DIR> d-------- c:\program files\Apple Software Update
2008-10-19 21:34 . 2008-10-19 22:17 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-19 21:34 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-19 21:34 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-19 21:33 . 2008-10-19 21:37 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-19 21:33 . 2008-10-19 21:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-19 21:33 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-19 21:32 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-19 21:32 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-19 21:32 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-19 21:32 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-19 21:32 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-10-19 21:31 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-10-19 21:30 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-10-19 21:14 . 2008-10-19 21:14 <DIR> d-------- c:\windows\system32\scripting
2008-10-19 21:14 . 2008-10-19 21:14 <DIR> d-------- c:\windows\system32\en
2008-10-19 21:14 . 2008-10-19 21:14 <DIR> d-------- c:\windows\l2schemas
2008-10-19 20:33 . 2008-04-14 00:12 774,144 -----c--- c:\windows\system32\dllcache\setup_wm.exe
2008-10-19 20:32 . 2008-04-14 00:12 1,306,624 --a------ c:\windows\system32\msxml6.dll
2008-10-19 20:31 . 2008-04-14 00:10 844,314 -----c--- c:\windows\system32\dllcache\msdxm.ocx
2008-10-19 20:30 . 2008-04-14 00:12 695,808 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2008-10-19 20:29 . 2008-04-14 00:11 286,720 -----c--- c:\windows\system32\dllcache\blackbox.dll
2008-10-19 20:29 . 2008-04-14 00:11 233,472 --a------ c:\windows\system32\azroles.dll
2008-10-19 20:29 . 2008-04-13 17:28 184,959 -----c--- c:\windows\system32\dllcache\compact.wmz
2008-10-19 20:29 . 2008-04-14 00:11 159,232 -----c--- c:\windows\system32\dllcache\cewmdm.dll
2008-10-19 20:29 . 2008-04-14 00:11 136,192 --a------ c:\windows\system32\aaclient.dll
2008-10-19 20:29 . 2008-04-13 17:23 8,192 -----c--- c:\windows\system32\dllcache\asferror.dll
2008-10-19 20:29 . 2008-04-14 00:11 7,168 --a------ c:\windows\system32\bitsprx4.dll
2008-10-19 20:29 . 2003-03-31 12:00 999 -----c--- c:\windows\system32\dllcache\bktrh.gif
2008-10-19 20:29 . 2003-03-31 12:00 773 -----c--- c:\windows\system32\dllcache\cnth.gif
2008-10-19 20:29 . 2003-03-31 12:00 773 -----c--- c:\windows\system32\dllcache\cnt.gif
2008-10-19 20:29 . 2003-03-31 12:00 772 -----c--- c:\windows\system32\dllcache\cntd.gif
2008-10-19 20:29 . 2003-03-31 12:00 760 -----c--- c:\windows\system32\dllcache\cloapph.gif
2008-10-19 20:29 . 2003-03-31 12:00 717 -----c--- c:\windows\system32\dllcache\cloapp.gif
2008-10-19 18:19 . 2008-10-19 18:19 <DIR> d-------- c:\windows\provisioning
2008-10-19 18:19 . 2008-10-19 21:14 <DIR> d-------- c:\windows\peernet
2008-10-19 18:13 . 2008-10-19 18:13 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-19 17:57 . 2008-10-19 20:49 <DIR> d-------- c:\windows\EHome
2008-10-19 17:40 . 2002-04-15 20:11 67,866 --a------ c:\windows\system32\drivers\netwlan5.img
2008-10-19 17:40 . 2008-04-14 04:42 11,264 --a------ c:\windows\system32\spnpinst.exe
2008-10-19 17:40 . 2004-08-02 13:20 7,208 --a------ c:\windows\system32\secupd.sig
2008-10-19 17:40 . 2004-08-02 13:20 4,569 --a------ c:\windows\system32\secupd.dat
2008-10-19 16:47 . 2008-04-14 00:11 40,960 --a------ c:\windows\system32\mf3216.dll
2008-10-19 16:46 . 2008-04-14 00:12 1,287,168 --a------ c:\windows\system32\ole32.dll
2008-10-19 16:46 . 2008-04-14 00:11 1,267,200 --a------ c:\windows\system32\comsvcs.dll
2008-10-19 16:46 . 2008-04-14 00:11 625,664 --a------ c:\windows\system32\catsrvut.dll
2008-10-19 16:46 . 2008-04-14 00:12 584,704 --a------ c:\windows\system32\rpcrt4.dll
2008-10-19 16:46 . 2008-04-14 00:11 498,688 --a------ c:\windows\system32\clbcatq.dll
2008-10-19 16:46 . 2008-04-14 00:12 399,360 --a------ c:\windows\system32\rpcss.dll
2008-10-19 16:46 . 2008-07-07 20:26 253,952 --a------ c:\windows\system32\es.dll
2008-10-19 16:46 . 2008-04-14 00:11 226,304 --a------ c:\windows\system32\catsrv.dll
2008-10-19 16:46 . 2008-04-14 00:12 74,752 --a------ c:\windows\system32\olecli32.dll
2008-10-19 16:46 . 2008-04-14 00:11 60,416 --a------ c:\windows\system32\colbact.dll
2008-10-19 16:44 . 2008-04-13 17:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2008-10-19 16:43 . 2008-04-14 00:12 28,672 --a------ c:\windows\system32\verclsid.exe
2008-10-19 16:22 . 2008-04-14 00:11 1,082,368 --a------ c:\windows\system32\esent.dll
2008-10-19 16:09 . 2008-04-14 00:12 1,104,896 --a------ c:\windows\system32\msxml3.dll
2008-10-19 16:07 . 2008-04-14 00:12 57,856 --a------ c:\windows\system32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-06 10:07 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-06 18:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-06 18:44 --------- d-----w c:\program files\sony
2008-10-06 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Corporation
2008-10-06 18:42 --------- d-----w c:\program files\Common Files\Sony Shared
2008-10-06 18:26 --------- d-----w c:\program files\Common Files\Adobe
2008-10-06 18:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-06 18:13 --------- d-----w c:\program files\InterVideo
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2909ae9f-ee0c-6e8e-6289-705b01cefd04}]
2008-07-03 15:49 364544 --a------ c:\windows\system32\zaugzscjqes.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D3DB4DF-2857-5B54-AA2E-FFB0EEC48B18}]
2008-11-01 09:38 178176 --a------ c:\windows\system32\dgrrvpgnknvzy.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-04 34816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"="c:\windows\system32\prun.exe" [2008-11-04 34816]
"VAIO Update 2"="c:\program files\sony\vaio update 2\VAIOUpdt.exe" [2004-01-17 135168]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-09-06 70840]
"SonyPowerCfg"="c:\program files\sony\vaio power management\SPMgr.exe" [2003-12-11 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\cfgwiz.exe" [2003-08-20 124096]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-02-12 98304]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Drag'n Drop CD+DVD"="c:\program files\drag'n drop cd+dvd\BinFiles\DragDrop.exe" [2004-02-02 1183744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-09-06 70816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-30 335872]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"qqlydcuxngxviv"="c:\windows\system32\dgrrvpgnknvzy.dll" [2008-11-01 178176]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 217195]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-06 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c006634]
2008-11-04 12:49 20992 c:\windows\system32\c006634.mat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=uokaqj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\videolib\sonydv.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
.
Contents of the 'Scheduled Tasks' folder
2008-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
2004-04-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
- - - - ORPHANS REMOVED - - - -
BHO-{D3ED8EE7-E2ED-4327-A219-12BA9C19799A} - c:\windows\system32\efcDvuuS.dll
BHO-{f2c8c2c6-ae7c-45bc-9810-b5716d547099} - c:\windows\system32\uokaqj.dll
HKLM-Run-{7E-E3-37-77-DW} - c:\windows\system32\jownw64s.exe
HKLM-Run-84b7e3d8 - c:\windows\system32\yvwygsry.dll
Notify-sys32 - sys32.dll
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.club-vaio.sony-europe.com/
O8 -: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
O8 -: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 -: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
O8 -: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 -: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
O15 -: Trusted Zone: *.sony-europe.com
O15 -: Trusted Zone: *.sonystyle-europe.com
O15 -: Trusted Zone: *.vaio-link.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-06 11:34:08
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
-> c:\windows\system32\c006634.mat
PROCESS: c:\windows\explorer.exe
-> c:\windows\system32\c006634.mat
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\sony\HotKey Utility\HKWnd.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\regsvr32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
.
**************************************************************************
.
Completion time: 2008-11-06 11:45:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-06 11:45:13
Pre-Run: 11,645,702,144 bytes free
Post-Run: 11,624,845,312 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
320 --- E O F --- 2008-10-24 09:09:57
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:46, on 06/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\prun.exe
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-vaio.sony-europe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mysidesearch search enhancer - {2909ae9f-ee0c-6e8e-6289-705b01cefd04} - C:\WINDOWS\system32\zaugzscjqes.dll
O2 - BHO: agadoo browser enhancer - {6D3DB4DF-2857-5B54-AA2E-FFB0EEC48B18} - C:\WINDOWS\system32\dgrrvpgnknvzy.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [qqlydcuxngxviv] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\dgrrvpgnknvzy.dll"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O20 - AppInit_DLLs: uokaqj.dll
O20 - Winlogon Notify: c006634 - C:\WINDOWS\SYSTEM32\c006634.mat
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
--
End of file - 10163 bytes
Thanks
Hello,
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\hhbzfsjzrligasp.exe
c:\windows\system32\zaugzscjqes.dll
c:\windows\system32\xxyywvVN.dll
c:\windows\system32\prun.exe
c:\windows\system32\dgrrvpgnknvzy.dll
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2909ae9f-ee0c-6e8e-6289-705b01cefd04}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D3DB4DF-2857-5B54-AA2E-FFB0EEC48B18}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=-
"qqlydcuxngxviv"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c006634]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
gpcurran
2008-11-06, 14:35
i tried doing that but i'm getting an error message say:
windows cannot find 'CF217.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button, ans then click search.
thanks
Drag Combofix to the trash and grab a fresh copy as its updated on a regular basis. Then run the script again, make sure you save it in Notepad as CFScript
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
gpcurran
2008-11-07, 12:20
Thank you again or all your help the a million and one pops have noe stop this is the log for combofix
ComboFix 08-11-05.02 - Administrator 2008-11-07 11:07:51.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.307 [GMT 0:00]
Running from: c:\documents and settings\Kenny\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kenny\Desktop\CFScript.txt
FILE ::
C:\sqmdata00.sqm
C:\sqmdata01.sqm
C:\sqmdata02.sqm
C:\sqmdata03.sqm
C:\sqmdata04.sqm
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmnoopt00.sqm
C:\sqmnoopt01.sqm
C:\sqmnoopt02.sqm
C:\sqmnoopt03.sqm
C:\sqmnoopt04.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
c:\windows\system32\dgrrvpgnknvzy.dll
c:\windows\system32\hhbzfsjzrligasp.exe
c:\windows\system32\prun.exe
c:\windows\system32\xxyywvVN.dll
c:\windows\system32\zaugzscjqes.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
c:\windows\system32\dgrrvpgnknvzy.dll
c:\windows\system32\hhbzfsjzrligasp.exe
c:\windows\system32\prun.exe
c:\windows\system32\xxyywvVN.dll
c:\windows\system32\zaugzscjqes.dll
.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.
2008-11-05 16:46 . 2008-11-05 16:46 90,915 --a------ c:\windows\system32\zaugzscjqes.dll-uninst.exe
2008-11-05 16:18 . 2008-11-05 16:18 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-05 16:13 . 2008-11-05 16:13 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-05 16:07 . 2008-11-05 16:07 <DIR> d-------- c:\windows\ERUNT
2008-11-05 15:56 . 2008-11-05 16:34 <DIR> d-------- C:\SDFix
2008-11-05 14:38 . 2008-11-05 14:38 20,992 --ahs---- c:\windows\system32\c00762AC.mat
2008-11-04 14:48 . 2008-11-04 14:48 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 13:46 . 2004-04-13 12:43 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-11-04 13:46 . 2004-04-15 01:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Corporation
2008-11-04 13:46 . 2008-11-04 13:46 <DIR> d-------- c:\documents and settings\Administrator
2008-11-04 13:19 . 2008-11-04 13:19 <DIR> d-------- C:\ProgramData
2008-11-04 13:19 . 2008-11-05 14:44 <DIR> d-------- c:\program files\Angle Interactive
2008-11-04 12:58 . 2008-11-04 12:58 153,484 --a------ c:\windows\system32\g20.exe
2008-11-04 12:49 . 2008-11-04 12:49 20,992 --ahs---- c:\windows\system32\c006634.mat
2008-11-04 12:46 . 2008-11-05 16:22 <DIR> d-------- c:\windows\S2Vubnk
2008-11-04 12:45 . 2008-11-04 12:46 <DIR> d-------- c:\windows\system32\tw32
2008-11-04 12:45 . 2008-11-04 12:45 <DIR> d-------- c:\windows\system32\rt
2008-11-04 12:45 . 2008-11-04 12:45 <DIR> d-------- c:\windows\system32\iNET
2008-11-04 12:45 . 2008-11-04 12:45 189,941 --a------ c:\temp\mdHP614.exe
2008-11-04 12:45 . 2008-11-04 12:45 60,928 --ahs---- c:\windows\system32\xxyXOihh.dll
2008-11-04 12:44 . 2008-11-04 12:44 <DIR> d-------- c:\windows\system32\QI19
2008-11-04 12:44 . 2008-11-04 12:45 <DIR> d-------- c:\temp\NT32
2008-11-04 12:44 . 2008-11-05 16:28 <DIR> d-------- C:\Temp
2008-10-24 08:56 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-20 13:36 . 2007-07-30 18:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-20 13:36 . 2007-07-30 18:19 207,736 --a------ c:\windows\system32\muweb.dll
2008-10-20 13:36 . 2007-07-30 18:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-19 22:23 . 2008-10-19 22:26 <DIR> d-------- c:\program files\Windows Live Toolbar
2008-10-19 22:22 . 2008-10-19 22:22 <DIR> d-------- c:\program files\Windows Live Favorites
2008-10-19 22:19 . 2008-11-03 23:35 <DIR> d-------- c:\documents and settings\Kenny\Contacts
2008-10-19 22:04 . 2008-10-19 22:12 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-10-19 22:03 . 2008-10-19 22:16 <DIR> d-------- c:\program files\Windows Live
2008-10-19 22:03 . 2008-10-19 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-19 21:41 . 2008-10-19 21:41 <DIR> d-------- c:\documents and settings\Kenny\Application Data\Apple Computer
2008-10-19 21:40 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2008-10-19 21:40 . 2008-04-17 12:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2008-10-19 21:39 . 2008-10-19 21:40 <DIR> d-------- c:\program files\iTunes
2008-10-19 21:39 . 2008-10-19 21:39 <DIR> d-------- c:\program files\iPod
2008-10-19 21:39 . 2008-10-19 21:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-19 21:37 . 2008-10-19 21:38 <DIR> d-------- c:\program files\QuickTime
2008-10-19 21:37 . 2008-10-19 21:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-19 21:35 . 2008-10-19 21:35 <DIR> d-------- c:\program files\Apple Software Update
2008-10-19 21:34 . 2008-10-19 22:17 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-10-19 21:34 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-19 21:34 . 2008-06-13 11:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-10-19 21:33 . 2008-10-19 21:37 <DIR> d-------- c:\program files\Common Files\Apple
2008-10-19 21:33 . 2008-10-19 21:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-10-19 21:33 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-19 21:32 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-19 21:32 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-19 21:32 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-19 21:32 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-19 21:32 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-10-19 21:31 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-10-19 21:30 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-10-19 21:14 . 2008-10-19 21:14 <DIR> d-------- c:\windows\system32\scripting
2008-10-19 21:14 . 2008-10-19 21:14 <DIR> d-------- c:\windows\system32\en
2008-10-19 21:14 . 2008-10-19 21:14 <DIR> d-------- c:\windows\l2schemas
2008-10-19 20:33 . 2008-04-14 00:12 774,144 -----c--- c:\windows\system32\dllcache\setup_wm.exe
2008-10-19 20:32 . 2008-04-14 00:12 1,306,624 --a------ c:\windows\system32\msxml6.dll
2008-10-19 20:31 . 2008-04-14 00:10 844,314 -----c--- c:\windows\system32\dllcache\msdxm.ocx
2008-10-19 20:30 . 2008-04-14 00:12 695,808 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2008-10-19 20:29 . 2008-04-14 00:11 286,720 -----c--- c:\windows\system32\dllcache\blackbox.dll
2008-10-19 20:29 . 2008-04-14 00:11 233,472 --a------ c:\windows\system32\azroles.dll
2008-10-19 20:29 . 2008-04-13 17:28 184,959 -----c--- c:\windows\system32\dllcache\compact.wmz
2008-10-19 20:29 . 2008-04-14 00:11 159,232 -----c--- c:\windows\system32\dllcache\cewmdm.dll
2008-10-19 20:29 . 2008-04-14 00:11 136,192 --a------ c:\windows\system32\aaclient.dll
2008-10-19 20:29 . 2008-04-13 17:23 8,192 -----c--- c:\windows\system32\dllcache\asferror.dll
2008-10-19 20:29 . 2008-04-14 00:11 7,168 --a------ c:\windows\system32\bitsprx4.dll
2008-10-19 20:29 . 2003-03-31 12:00 999 -----c--- c:\windows\system32\dllcache\bktrh.gif
2008-10-19 20:29 . 2003-03-31 12:00 773 -----c--- c:\windows\system32\dllcache\cnth.gif
2008-10-19 20:29 . 2003-03-31 12:00 773 -----c--- c:\windows\system32\dllcache\cnt.gif
2008-10-19 20:29 . 2003-03-31 12:00 772 -----c--- c:\windows\system32\dllcache\cntd.gif
2008-10-19 20:29 . 2003-03-31 12:00 760 -----c--- c:\windows\system32\dllcache\cloapph.gif
2008-10-19 20:29 . 2003-03-31 12:00 717 -----c--- c:\windows\system32\dllcache\cloapp.gif
2008-10-19 18:19 . 2008-10-19 18:19 <DIR> d-------- c:\windows\provisioning
2008-10-19 18:19 . 2008-10-19 21:14 <DIR> d-------- c:\windows\peernet
2008-10-19 18:13 . 2008-10-19 18:13 <DIR> d-------- c:\windows\ServicePackFiles
2008-10-19 17:57 . 2008-10-19 20:49 <DIR> d-------- c:\windows\EHome
2008-10-19 17:40 . 2002-04-15 20:11 67,866 --a------ c:\windows\system32\drivers\netwlan5.img
2008-10-19 17:40 . 2008-04-14 04:42 11,264 --a------ c:\windows\system32\spnpinst.exe
2008-10-19 17:40 . 2004-08-02 13:20 7,208 --a------ c:\windows\system32\secupd.sig
2008-10-19 17:40 . 2004-08-02 13:20 4,569 --a------ c:\windows\system32\secupd.dat
2008-10-19 16:47 . 2008-04-14 00:11 40,960 --a------ c:\windows\system32\mf3216.dll
2008-10-19 16:46 . 2008-04-14 00:12 1,287,168 --a------ c:\windows\system32\ole32.dll
2008-10-19 16:46 . 2008-04-14 00:11 1,267,200 --a------ c:\windows\system32\comsvcs.dll
2008-10-19 16:46 . 2008-04-14 00:11 625,664 --a------ c:\windows\system32\catsrvut.dll
2008-10-19 16:46 . 2008-04-14 00:12 584,704 --a------ c:\windows\system32\rpcrt4.dll
2008-10-19 16:46 . 2008-04-14 00:11 498,688 --a------ c:\windows\system32\clbcatq.dll
2008-10-19 16:46 . 2008-04-14 00:12 399,360 --a------ c:\windows\system32\rpcss.dll
2008-10-19 16:46 . 2008-07-07 20:26 253,952 --a------ c:\windows\system32\es.dll
2008-10-19 16:46 . 2008-04-14 00:11 226,304 --a------ c:\windows\system32\catsrv.dll
2008-10-19 16:46 . 2008-04-14 00:12 74,752 --a------ c:\windows\system32\olecli32.dll
2008-10-19 16:46 . 2008-04-14 00:11 60,416 --a------ c:\windows\system32\colbact.dll
2008-10-19 16:44 . 2008-04-13 17:39 2,897,920 --a------ c:\windows\system32\xpsp2res.dll
2008-10-19 16:43 . 2008-04-14 00:12 28,672 --a------ c:\windows\system32\verclsid.exe
2008-10-19 16:22 . 2008-04-14 00:11 1,082,368 --a------ c:\windows\system32\esent.dll
2008-10-19 16:09 . 2008-04-14 00:12 1,104,896 --a------ c:\windows\system32\msxml3.dll
2008-10-19 16:07 . 2008-04-14 00:12 57,856 --a------ c:\windows\system32\spoolsv.exe
2008-10-19 16:06 . 2008-04-14 00:12 198,144 --a------ c:\windows\system32\netman.dll
2008-10-18 17:58 . 2008-10-19 21:14 <DIR> d-------- c:\windows\system32\bits
2008-10-18 17:54 . 2007-08-10 19:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-10-18 17:52 . 2008-10-24 09:09 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-17 23:05 . 2008-04-14 00:12 91,648 --a------ c:\windows\system32\mtxoci.dll
2008-10-17 23:05 . 2008-04-14 00:12 66,560 --a------ c:\windows\system32\mtxclu.dll
2008-10-16 09:11 . 2008-04-14 00:12 713,216 --a------ c:\windows\system32\sxs.dll
2008-10-16 09:11 . 2008-04-14 00:11 101,888 --a------ c:\windows\system32\cscdll.dll
2008-10-16 09:11 . 2008-04-14 00:11 87,552 --a------ c:\windows\system32\fldrclnr.dll
2008-10-16 09:11 . 2008-04-14 00:11 19,968 --a------ c:\windows\system32\linkinfo.dll
2008-10-16 09:10 . 2008-04-14 00:11 384,000 --a------ c:\windows\system32\ipsmsnap.dll
2008-10-16 09:10 . 2008-04-14 00:12 354,304 --a------ c:\windows\system32\winhttp.dll
2008-10-16 09:10 . 2008-04-14 00:11 349,696 --a------ c:\windows\system32\ipsecsnp.dll
2008-10-16 09:10 . 2008-04-14 00:12 270,336 --a------ c:\windows\system32\oakley.dll
2008-10-16 09:10 . 2008-04-14 00:11 183,808 --a------ c:\windows\system32\ipsecsvc.dll
2008-10-16 09:10 . 2008-04-14 00:12 105,472 --a------ c:\windows\system32\polstore.dll
2008-10-16 09:10 . 2008-04-14 00:12 32,256 --a------ c:\windows\system32\winipsec.dll
2008-10-16 09:10 . 2008-04-14 00:12 18,944 --a------ c:\windows\system32\qmgrprxy.dll
2008-10-16 09:10 . 2008-04-14 00:11 8,192 --a------ c:\windows\system32\bitsprx2.dll
2008-10-16 09:10 . 2008-04-14 00:11 7,168 --a------ c:\windows\system32\bitsprx3.dll
2008-10-14 19:22 . 2008-10-14 19:22 <DIR> d-------- c:\windows\Sun
2008-10-14 18:03 . 2007-07-30 18:19 549,720 --a------ c:\windows\system32\wuapi.dll
2008-10-14 18:03 . 2007-07-30 18:19 325,976 --a------ c:\windows\system32\wucltui.dll
2008-10-14 18:03 . 2007-07-30 18:19 216,408 --a------ c:\windows\system32\wuaucpl.cpl
2008-10-14 18:03 . 2007-07-30 18:19 203,096 --a------ c:\windows\system32\wuweb.dll
2008-10-14 18:03 . 2008-04-14 00:12 183,296 --a------ c:\windows\system32\wuaueng1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 10:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-06 18:54 --------- d-----w c:\documents and settings\Kenny\Application Data\Drag'n Drop CD+DVD
2008-10-06 18:50 --------- d-----w c:\program files\Microsoft Works
2008-10-06 18:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-06 18:45 --------- d-----w c:\program files\drag'n drop cd+dvd
2008-10-06 18:44 --------- d-----w c:\program files\sony
2008-10-06 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Corporation
2008-10-06 18:42 --------- d-----w c:\program files\Common Files\Sony Shared
2008-10-06 18:42 --------- d-----w c:\documents and settings\All Users\Application Data\VAIO Media Platform
2008-10-06 18:33 --------- d-----w c:\program files\MoodLogic
2008-10-06 18:26 --------- d-----w c:\program files\Common Files\Adobe
2008-10-06 18:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-06 18:13 --------- d-----w c:\program files\InterVideo
2008-10-06 18:12 0 ---ha-r c:\windows\system32\drivers\Sony_PCG-K215B(GB).mrk
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Update 2"="c:\program files\sony\vaio update 2\VAIOUpdt.exe" [2004-01-17 135168]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-09-06 70840]
"SonyPowerCfg"="c:\program files\sony\vaio power management\SPMgr.exe" [2003-12-11 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"IS CfgWiz"="c:\program files\Common Files\Symantec Shared\cfgwiz.exe" [2003-08-20 124096]
"HKSERV.EXE"="c:\program files\Sony\HotKey Utility\HKserv.exe" [2004-02-12 98304]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"Drag'n Drop CD+DVD"="c:\program files\drag'n drop cd+dvd\BinFiles\DragDrop.exe" [2004-02-02 1183744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-09-06 70816]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-30 335872]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-07-30 217195]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-06 113664]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\c006634]
2008-11-04 12:49 20992 c:\windows\system32\c006634.mat
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\videolib\sonydv.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
.
Contents of the 'Scheduled Tasks' folder
2008-10-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2008-11-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]
2004-04-13 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 17:38]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 11:11:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
-> c:\windows\system32\c006634.mat
.
Completion time: 2008-11-07 11:13:54
ComboFix-quarantined-files.txt 2008-11-07 11:13:02
ComboFix2.txt 2008-11-06 11:45:36
Pre-Run: 12,057,481,216 bytes free
Post-Run: 12,073,766,912 bytes free
262 --- E O F --- 2008-10-24 09:09:57
Hello,
After each program we run I always need to see a new Hijackthis log so we can see what we have accomplished, post one please
Take your time, I will be away for most of the day
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.
c:\windows\system32\c006634.mat
c:\windows\system32\c00762AC.mat
Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::
File::
c:\windows\system32\g20.exe
c:\windows\system32\xxyXOihh.dll
Dirlook::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Post the VirusTotal logs, the new Combofix log and a New HJT log please
gpcurran
2008-11-07, 15:31
sorry here is the new hijack this report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30, on 2008-11-07
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.club-vaio.sony-europe.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\drag'n drop cd+dvd\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prun.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
thanks again
Did you see my instructions in my previous post about running the new Script with Combofix along with uploading those files to VirusTotal???
You also posted an incomplete Hijackthis log
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and your helper posted a response to which you did not reply, this topic has been archived and will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.