Smithfraud-C.Toolbar888

mindalter · Jun 4, 2007

Hi,

Well I just got done reading about 15 posts on this issue and tried many of them on my system but am unable to get rid of this on my own.

I tried Vundofix, spybot, spyware doctor, cleanreg.

It is kind of funny as my system is so bad now its running audio advertisements with no processes running according to task manager. LOL

I renamed hijack this to scanner.exe and here are my HJT logs. Any help is much appreciated. I can post vundo.txt if needed.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:45:11 AM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {E4D9BB1E-EC04-4220-8F87-40F091813D30} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtenefsuzy.html

--
End of file - 8007 bytes

BTW I have viewed and understand the information inside "BEFORE you POST"
http://forums.spybot.info/showthread.php?t=288
And I understand that all advice given is taken at your own risk.

mindalter · Jun 5, 2007

I downloaded SmitfraudFix (by S!Ri).
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

and ran the application and here are the results of rapport.txt

SmitFraudFix v2.192

Scan done at 17:30:48.32, Mon 06/04/2007
Run from C:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brad

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Brad\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Brad\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Online Services\\rtenefsuzy.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.0.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB}: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.0.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Mr_JAk3 · Jun 5, 2007

Hello mindalter and welcome to the Forums

You got at least some leftovers there...

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

mindalter · Jun 7, 2007

Thanks sooo much for the help on this one.

Here are the combo fix logs.

"Brad" - 2007-06-07 7:52:18 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Brad\Desktop\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

-- Purity Folders:
C:\Program Files\DOBE~1
C:\Program Files\Online Services\rtenefsuzy.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NET_AGENT
-------\LEGACY_NM
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\nm

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-04 17:31 2,536 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-04 17:30 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-04 17:30 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-04 17:30 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-04 17:30 <DIR> d-------- C:\SmitfraudFix
2007-06-04 17:28 879,247 --a------ C:\SmitfraudFix.exe
2007-06-04 08:22 <DIR> d-------- C:\VundoFix Backups
2007-06-03 17:56 2,580 --a------ C:\WINDOWS\system32\yijufoes.exe
2007-06-03 16:45 <DIR> d-------- C:\Program Files\RegCure
2007-06-03 16:41 1,621,850 ---hs---- C:\WINDOWS\system32\wvvwa.ini2
2007-06-03 16:36 2,580 --a------ C:\WINDOWS\system32\hqwdxant.exe
2007-06-03 16:34 2,719,068 --a------ C:\WINDOWS\system32\SBSP.dat
2007-06-03 16:33 11,758 --a------ C:\WINDOWS\system32\SBFC.dat
2007-06-03 15:17 2,580 --a------ C:\WINDOWS\system32\wptrcwpr.exe
2007-06-03 15:17 1,611,822 ---hs---- C:\WINDOWS\system32\dcbeg.bak1
2007-06-03 12:53 1,613,131 ---hs---- C:\WINDOWS\system32\opqss.ini2
2007-06-03 12:07 2,580 --a------ C:\WINDOWS\system32\bsfdwyup.exe
2007-06-03 11:23 1,587,323 ---hs---- C:\WINDOWS\system32\aycdd.ini2
2007-06-03 10:24 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-06-03 10:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-03 10:21 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-03 08:48 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-03 08:48 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-03 08:48 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-03 08:48 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-03 08:48 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-03 08:47 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-03 08:47 2,580 --a------ C:\WINDOWS\system32\tcyrrnhf.exe
2007-06-03 08:47 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-03 08:47 <DIR> d-------- C:\DOCUME~1\Gisele\APPLIC~1\PC Tools
2007-06-03 08:38 <DIR> d-------- C:\DOCUME~1\Gisele\APPLIC~1\Lavasoft
2007-06-03 08:28 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-06-03 08:28 169,017 --a------ C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
2007-06-03 08:25 226,352 -r-hs---- C:\WINDOWS\cimhujaA.exe
2007-06-03 08:25 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-03 08:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-06-03 08:24 49,152 --a------ C:\WINDOWS\TISKY009.exe
2007-06-03 08:24 192,622 --a------ C:\WINDOWS\system32\lwinondt.exe
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T9
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-03 08:24 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-03 08:24 <DIR> d-------- C:\Temp\x2b
2007-06-03 08:24 <DIR> d-------- C:\Temp

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 14:58:31 -------- d-----w C:\Program Files\Online Services
2007-06-07 13:57:21 -------- d-----w C:\Program Files\Warcraft III
2007-06-03 15:43:26 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-03 15:08:18 -------- d-----w C:\DOCUME~1\Brad\APPLIC~1\BitTorrent
2007-06-03 14:50:24 -------- d-----w C:\Program Files\PokerStars
2007-05-29 16:15:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 16:54:19 -------- d-----w C:\Program Files\WC3Banlist
2007-04-09 15:34:53 -------- d-----w C:\Program Files\WinPcap
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 16:57:40 27,376 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 22:00]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 04:36]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-13 10:54]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 11:43 C:\WINDOWS\AGRSMMSG.exe]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\rtenefsuzy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-07 15:04:41 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-07 10:00:00 C:\WINDOWS\tasks\RegCure.job
2007-06-07 15:05:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 08:04:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???0???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?0?????B???@?????P?????@?? ????????A~??????????@?W?????????????????B?????<????????????????????@??????r?B

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 8:07:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 08:07

--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

-- Purity Folders:
C:\Program Files\DOBE~1
C:\Program Files\Online Services\rtenefsuzy.html
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\Temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\rau001978.exe
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T3\am67.exe
C:\WINDOWS\system32\T4

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NET_AGENT
-------\LEGACY_NM
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\nm

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-07 08:07 49,152 --a------ C:\WINDOWS\nircmd.exe

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 14:58:31 -------- d-----w C:\Program Files\Online Services
2007-06-07 13:57:21 -------- d-----w C:\Program Files\Warcraft III
2007-06-03 15:43:26 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-03 15:08:18 -------- d-----w C:\DOCUME~1\Brad\APPLIC~1\BitTorrent
2007-06-03 14:50:24 -------- d-----w C:\Program Files\PokerStars
2007-05-29 16:15:48 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-09 16:54:19 -------- d-----w C:\Program Files\WC3Banlist
2007-04-09 15:34:53 -------- d-----w C:\Program Files\WinPcap
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 16:57:40 27,376 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 15:17]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-15 22:00]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 04:36]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-08-13 10:54]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 11:43 C:\WINDOWS\AGRSMMSG.exe]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-05-17 12:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Online Services\rtenefsuzy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-07 15:04:41 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-07 10:00:00 C:\WINDOWS\tasks\RegCure.job
2007-06-07 15:05:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 08:08:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Disc Detector = C:\Program Files\Creative\ShareDLL\CtNotify.exe?X???0???????????????E?@?Disc Detector?A????? ?A?? ????B?e!@???@???@?? C?????E?@?????????@?B???A????? ?A?0?????B???@?????P?????@?? ????????A~??????????@?W?????????????????B?????<????????????????????@??????r?B

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-07 8:10:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-07 08:09

--- E O F ---

Mr_JAk3 · Jun 7, 2007

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

myCleanerPC
PokerStars

and any other programs you didn't install or don't recognize - if your not sure please ask first

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: (no name) - {E4D9BB1E-EC04-4220-8F87-40F091813D30} - (no file)
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtenefsuzy.html

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\yijufoes.exe
C:\WINDOWS\system32\wvvwa.ini2
C:\WINDOWS\system32\hqwdxant.exe
C:\WINDOWS\system32\wptrcwpr.exe
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\opqss.ini2
C:\WINDOWS\system32\bsfdwyup.exe
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\drivers\sbhr.sys
C:\WINDOWS\system32\tcyrrnhf.exe
C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
C:\WINDOWS\cimhujaA.exe
C:\WINDOWS\TISKY009.exe
C:\WINDOWS\system32\lwinondt.exe
C:\Program Files\Online Services\rtenefsuzy.html

Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T9
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T1QaSQ
C:\Program Files\myCleanerPC
C:\Documents and Settings\All Users\Application Data\myCleanerPC
C:\Program Files\PokerStars

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart the computer to the normal mode.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

mindalter · Jun 8, 2007

ok - I completed everything listed above.

When I Was in safe mode deleting files all of the .ini2 files also had .tmp and .tmp2 files of the same name. They seemed to be created on the same day and time as the infection so I deleted them also.

Completed the full AVG scan and it found 20 objects with 39 items. But when the scan was completed it would not allow me to save report (step 4). Does this auto save the report to somewhere? If so I can grab it and post it here? Otherwise I may need to do a full system scan again and try to get the logs.

Here are the latest HJT logs.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:16, on 2007-06-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Online Services\rtenefsuzy.html

--
End of file - 7318 bytes

Mr_JAk3 · Jun 8, 2007

Hi

Ok no need for AVg log, I forgot that the function has some problems at the moment...

Backup your registry:

Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Delete this file if found:
C:\Program Files\Online Services\rtenefsuzy.html

Restart the computer.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackTHis log

mindalter · Jun 9, 2007

When I was looking to Delete this file if found:
C:\Program Files\Online Services\rtenefsuzy.html

I did not find it but in the same folder I saw a file qufaqygi that last used on the infection date of all the other files you had me delete previsouly. Not sure if I should go back and delete this file.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-06-08 18:21
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 9/06/2007
Kaspersky Anti-Virus database records: 341466
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 58449
Number of viruses found: 7
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 00:59:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\VAIO Entertainment Platform\1.0\VzCdb\MtData.mdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sunbelt Software\CounterSpy\Quarantine\{68623201-5B4D-4FB7-BF94-9DC6DE4688CB} Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\cert8.db Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\history.dat Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\key3.db Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\parent.lock Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Brad\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Brad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll Infected: Trojan.Win32.BHO.bd skipped
C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-561.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Application Data\Mozilla\Firefox\Profiles\i6vd93ld.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\History\History.IE5\MSHist012007060820070609\index.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Brad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Brad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Brad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Gisele\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-c973141-5871cf37.class Infected: Trojan-Downloader.Java.OpenStream.y skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0102312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0102315.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0104312.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0104324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0106324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP803\A0106325.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108381.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108382.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108383.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP805\A0108384.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108390.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108391.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108393.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108394.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108396.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0108398.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP806\A0109407.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP814\change.log Object is locked skipped
C:\VundoFix Backups\anldojgy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\aywyuucu.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\ddcyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\hkbvjduw.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\mfgqnald.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\msgxhjyd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped
C:\VundoFix Backups\pmnlm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\tnrvdhtp.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itircl.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5389.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETAAD6.tmp Object is locked skipped
C:\WINDOWS\Temp\JETABFF.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Hi jack this log in the next post!!!

mindalter · Jun 9, 2007

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:23, on 2007-06-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7565 bytes

Mr_JAk3 · Jun 9, 2007

OK looks pretty good...

How is the computer running? Any issues?

mindalter · Jun 10, 2007

System is running a lot better now but still is infected.
Still takes 15 seconds to launch firefox or IE.
Also some applications take longer to launch. But it is definetly better then a week ago.

I run sybot S&D and find 4 problems:

Doubleclick, fastclick, hitbox, and tagasaurus

Mr_JAk3 · Jun 11, 2007

Hmm might not be malware related but let's see...

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

mindalter · Jun 12, 2007

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:40:53
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT sbhr.sys ZwClose
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sbhr.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT \SystemRoot\system32\drivers\iksysflt.sys ZwWriteVirtualMemory

mindalter · Jun 12, 2007

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:43:08
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD5389.SYS The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\DRIVERS\update.sys
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified.
? C:\WINDOWS\system32\drivers\sbapifs.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\ctfmon.exe[160] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[160] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[160] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Messenger\msmsgs.exe[180] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Messenger\msmsgs.exe[180] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Messenger\msmsgs.exe[180] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[200] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[200] user32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[200] user32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\ShareDLL\Mediadet.exe[300] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Creative\ShareDLL\Mediadet.exe[300] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative\ShareDLL\Mediadet.exe[300] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[400] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[400] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[400] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\CTSVCCDA.EXE[420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\CTSVCCDA.EXE[420] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\CTSVCCDA.EXE[420] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe[588] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe[588] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe[588] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\svcntaux.exe[704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\svcntaux.exe[704] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\svcntaux.exe[704] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[796] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[796] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[796] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[820] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[820] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[868] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[868] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[868] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[880] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1300] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\swdsvc.exe[1312] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ C7, 9E, C5, 83 ]
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Brad\LOCALS~1\Temp\Rar$EX01.047\gmer.exe[1348] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1408] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1408] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1564] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1564] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1564] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1572] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1572] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wdfmgr.exe[1572] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe[1640] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe[1640] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1708] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1708] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1708] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\explorer.exe[1880] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\explorer.exe[1880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\explorer.exe[1880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe[1960] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe[1960] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe[1960] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\ShareDLL\CTNotify.exe[1968] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Creative\ShareDLL\CTNotify.exe[1968] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Creative\ShareDLL\CTNotify.exe[1968] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1976] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[1976] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\AGRSMMSG.exe[1992] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\AGRSMMSG.exe[1992] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\AGRSMMSG.exe[1992] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2000] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2000] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2000] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ A7, 94, C3, 83 ]
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\SDTrayApp.exe[2008] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2572] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2572] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[2572] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2572] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[2692] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[2692] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\system32\wscntfy.exe[2692] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[2692] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3028] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\WinRAR\WinRAR.exe[3028] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3028] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3052] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3052] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\WinRAR\WinRAR.exe[3052] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WinRAR\WinRAR.exe[3052] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3464] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A

mindalter · Jun 12, 2007

First half of devices
~~~~~~~~~~~~~~~

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:43:08
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 82FDAC78
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 82FDAC78
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 82F91A58
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82D85428
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_NAMED_PIPE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLOSE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_WRITE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_EA 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_EA 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FLUSH_BUFFERS 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_VOLUME_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_VOLUME_INFORMATION 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DIRECTORY_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_FILE_SYSTEM_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_INTERNAL_DEVICE_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SHUTDOWN 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_LOCK_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CLEANUP 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_CREATE_MAILSLOT 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_SECURITY 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_SECURITY 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_POWER 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SYSTEM_CONTROL 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_DEVICE_CHANGE 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_QUERY_QUOTA 82B96EB0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_SET_QUOTA 82B96EB0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CREATE 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_CLOSE 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_READ 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_WRITE 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_FLUSH_BUFFERS 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_INTERNAL_DEVICE_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SHUTDOWN 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_POWER 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_SYSTEM_CONTROL 82D85428
Device \Driver\Cdrom \Device\CdRom2 IRP_MJ_PNP 82D85428
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 82CDC848
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_CREATE 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_CLOSE 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_INTERNAL_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_CLEANUP 82CDC848
Device \Driver\NetBT \Device\NetBT_Tcpip_{FAA209ED-7AE5-4EE8-BB45-B7DEA9E16BCB} IRP_MJ_PNP 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 82CDC848
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 82CDC848
Device \Driver\00000079 \Device\0000004c IRP_MJ_POWER [F869DEA8] sptd.sys
Device \Driver\00000079 \Device\0000004c IRP_MJ_SYSTEM_CONTROL [F86B1A70] sptd.sys
Device \Driver\00000079 \Device\0000004c IRP_MJ_PNP [F86AA728] sptd.sys
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CREATE 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_CLOSE 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_READ 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_WRITE 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_FLUSH_BUFFERS 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_DEVICE_CONTROL 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SHUTDOWN 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_POWER 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_SYSTEM_CONTROL 82FDAEB0
Device \Driver\Disk \Device\Harddisk0\DR0 IRP_MJ_PNP 82FDAEB0

mindalter · Jun 12, 2007

second half of devices section
~~~~~~~~~~~~~~~~~~~~~
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-06-11 17:43:08
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.12 ----

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 82CD5AE0
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 82CD5AE0
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CREATE_NAMED_PIPE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLOSE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_WRITE 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_INFORMATION 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_INFORMATION 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FLUSH_BUFFERS 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_VOLUME_INFORMATION 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_DIRECTORY_CONTROL 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_FILE_SYSTEM_CONTROL 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_CLEANUP 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_QUERY_SECURITY 82CDC410
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_SET_SECURITY 82CDC410
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 82F91A58
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 82F91A58
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLOSE 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_WRITE 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_INFORMATION 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_INFORMATION 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_VOLUME_INFORMATION 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_DIRECTORY_CONTROL 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_FILE_SYSTEM_CONTROL 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CLEANUP 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_CREATE_MAILSLOT 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_QUERY_SECURITY 82CCCC48
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_SET_SECURITY 82CCCC48
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CREATE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_CLOSE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_POWER 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 IRP_MJ_PNP 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CREATE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_CLOSE 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_POWER 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_SYSTEM_CONTROL 82C693C8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 IRP_MJ_PNP 82C693C8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 82C06290
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 82C06290

---- EOF - GMER 1.0.12 ----

Mr_JAk3 · Jun 12, 2007

Hmm nothing bad there.

Please post a fresh HijackThis log :bigthumb:

mindalter · Jun 13, 2007

I think there is still something infecting the system.
Still takes 30 seconds for system to log into user. And longer then nornmal to launch any application. But it is way better then before when it just was super slow.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:25, on 2007-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Brad\Desktop\scanner.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe

--
End of file - 7510 bytes

Mr_JAk3 · Jun 13, 2007

Hi

You have SpywareDoctor, AVG Anti-Spyware and Spybot Teatimer running. These all may slow the computer down, try if disabling the shields helps.

Also I can see some Norton leftovers, please run this uninstaller -> link

You don't seem to have a third-party firewall installed. You must install one firewall.
It is possible that you're using the Windows XP firewall. That is of course better than nothing but I recommend that you install a more advanced firewall that gives more protection. Windows firewall doesn't eg protect your computer from inbound threats. This means that any malware on your computer is free to "phone home" for more instructions. Remember to use only one firewall at the same time. I'll give you a few alternatives if you want to install a third-party firewall:

These are good (free) firewalls:

You don't have an antivirus on your computer, you must install one antivirus. Otherwise you'll get infected again.

These are good (free) antiviruses:

Then update the Antivirus you installed and run a full system scan with it.

Then let me know the status :bigthumb:

mindalter · Jun 15, 2007

I cleaned up most of the spyware apps I had running.

Question: should I leave spybot S&D installed? I couldn't figure out how to uninstall or even turn off the TeaTimer. I couldn't find it in my add/remove programs and I couldn't find it in my start list or programs and I couldn't find it if I launched Spybot S&D?

I dl and installed Comodo firewall.

I also dl and installed AVG antivirus and ran the full scan.

It found 4 issues.
first was a backup copy of a Trajan horse Generic4.SLB

and the 3 others were in the Vundofix backup folder.

I tried to export the logs from AVG but they didnt turn out very pretty.
Here they are:

<history>

<rec time="2007/06/15 07:23:36" user="SYSTEM" source="Update">
<value>@HL_UpdateOK</value>
<attr name="version">avi:1041-1024;iavi:860-827;</attr>
</rec>
<rec time="2007/06/15 07:24:04" user="Brad" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/06/15 07:26:15" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 07:48:19" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\VundoFix Backups\aywyuucu.dll.bad</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 07:48:19" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\VundoFix Backups\hkbvjduw.dll.bad</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 07:48:20" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\VundoFix Backups\tnrvdhtp.dll.bad</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 08:00:17" user="Brad" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
<rec time="2007/06/15 08:04:27" user="Brad" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="type">@EID_Id_trj</attr>
<attr name="what">Generic4.SLB</attr>
</rec>
<rec time="2007/06/15 08:05:10" user="Brad" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">1</attr>
</rec>
<rec time="2007/06/15 08:05:11" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">4</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\Brad\Desktop\backups\backup-20070604-071012-532.dll</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\VundoFix Backups\aywyuucu.dll.bad</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\VundoFix Backups\hkbvjduw.dll.bad</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
<rec time="2007/06/15 08:12:01" user="Brad" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\VundoFix Backups\tnrvdhtp.dll.bad</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
</history>

Smithfraud-C.Toolbar888

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

New member

New member

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member