 |  |  |  |  |  |  |  |
Wierd case of Ispynow
Thread Solved
 |
•
•
Join Date: Apr 2007
Posts: 53
Reputation: 
Solved Threads: 1
Junior Poster in Training
Ok, so I have a computer mysteriously and quite interestingly infected with the Spyware.Ispynow . The usual "Windows Security Center" Pop-up shows, and when you try to close it, IE7 comes up but immediately crashes itself or freezes the whole computer. I
tried running IE7 to download Malwarebytes to scan it, but no luck. The only site that worked was Google, and every search I had resulted in the usual behaviour of redirecting to go.google (and at one point some not so child friendly sites). The wireless won't pick up any connections, so I'm plugged in directly, and the Windows Firewall service is disabled. Also, AVG is being blocked from updating, though that probably doesn't matter too much.
The really wierd part is that after retrieving Malwarebytes from my trusty flash drive and downloading HijackThis through firefox portable, which by the way, seemed to work normal except that it crashed incredibly often, Malwarebytes would not install. I checked the process list and I saw at least three instances of mbam-setup.exe, I'm guessing from the three times I tried to run it. The one thing I was able to do was open the startup manager and disable some unfamiliar startup entries, which seemed to have surpressed the "Windows Security Center" Pop-up and allowed me to browse for the most part in IE7. Still, it seems to be disabling my firewall and blocking some of my connections.
I already have a Hijackthis log that I can post when necessary, and i could attach a list/screenshot of the startup values I disabled as well if that would help.
Thanks in advanced for the time, I really appreciate you guys
tried running IE7 to download Malwarebytes to scan it, but no luck. The only site that worked was Google, and every search I had resulted in the usual behaviour of redirecting to go.google (and at one point some not so child friendly sites). The wireless won't pick up any connections, so I'm plugged in directly, and the Windows Firewall service is disabled. Also, AVG is being blocked from updating, though that probably doesn't matter too much.
The really wierd part is that after retrieving Malwarebytes from my trusty flash drive and downloading HijackThis through firefox portable, which by the way, seemed to work normal except that it crashed incredibly often, Malwarebytes would not install. I checked the process list and I saw at least three instances of mbam-setup.exe, I'm guessing from the three times I tried to run it. The one thing I was able to do was open the startup manager and disable some unfamiliar startup entries, which seemed to have surpressed the "Windows Security Center" Pop-up and allowed me to browse for the most part in IE7. Still, it seems to be disabling my firewall and blocking some of my connections.
I already have a Hijackthis log that I can post when necessary, and i could attach a list/screenshot of the startup values I disabled as well if that would help.
Thanks in advanced for the time, I really appreciate you guys
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Please post that Hijackthis log, you have more than Ispynow on the machine, I think. Delete the copy of MBAM installer [mbam-setup.exe] from your machine, load in a fresh copy from your flashdrive, rename the MBAM installer to mybam-setup.exe, run it. It should work. Then:
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].
Deep, deep in the woods, but walking about.
•
•
Join Date: Apr 2007
Posts: 53
Reputation:
Solved Threads: 1
Junior Poster in Training
Ok, I got MBAM to install, but it was like pulling teeth. I renamed the file and was surprised that it even opened, because before, the process would register but I wouldn't even see a window. This time, the window popped up right away with the renamed file, and I thought I was golden. However, the installation process kept freezing. I opened the task manager and noticed that in addition to mymbamsetup.exe, there were several instances of mbam.exe already open, before the installation had completed. After waiting a few minutes to see if it would clear up, I simply killed all of the extra mbam.exe processes, and the installation crept forward to about 80%. I checked the process list again, and two more had popped up. I deleted these, and the program finished installing successfully. I clicked Finish with the Update and Run buttons checked. The install process ended, but mbam.exe reappeared and nothing happened. Of course, killing it this time would be killing the program itself, as there was only one instance. I never found out though, because the computer froze. I restarted and tried to open and run MBAM again, but the same thing happened. I opened in safe mode, and still, the program would not run. So that's where I am now.
I have the option of removing this laptop's hard drive and slaving it. Would that allow MBAM to run the same? I've only ever used it on computers I was working on.
Anyways, that said, here is the HijackThis log
----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:59 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
C:\Documents and Settings\Meredith\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1224820913515
O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
--
End of file - 10201 bytes
---------------------------------------------------------------------------------
I have the option of removing this laptop's hard drive and slaving it. Would that allow MBAM to run the same? I've only ever used it on computers I was working on.
Anyways, that said, here is the HijackThis log
----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:59 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
C:\Documents and Settings\Meredith\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1224820913515
O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
--
End of file - 10201 bytes
---------------------------------------------------------------------------------
Last edited by whoost; Dec 1st, 2008 at 11:08 pm.
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
whoost, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll
Delete C:\WINDOWS\system32\mst120.dll
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll
Delete C:\WINDOWS\system32\mst120.dll
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Last edited by gerbil; Dec 1st, 2008 at 11:39 pm.
Deep, deep in the woods, but walking about.
•
•
Join Date: Apr 2007
Posts: 53
Reputation:
Solved Threads: 1
Junior Poster in Training
I found the entry and deleted and was getting ready to start the ComboFix when the computer froze. I restarted and it hung on the welcome screen twice before the third reboot got it back to the desktop. I tried HijackThis again with the presumption that the entry would recreate itself on restart. It did, so I deleted it again and the system reacted normally. But when I tried to start the comboFix it showed the process in task manager but nothing happened again.
I don't know about you, but this hanging game is getting old pretty quick with me.
What do you suppose I do?
Edit:// Apparently this bug hates the Windows Explorer Search Feature as well. I just accidentally hit search in a My Documents window and the whole computer froze again
I don't know about you, but this hanging game is getting old pretty quick with me.
What do you suppose I do?
Edit:// Apparently this bug hates the Windows Explorer Search Feature as well. I just accidentally hit search in a My Documents window and the whole computer froze again
Last edited by whoost; Dec 2nd, 2008 at 12:06 am. Reason: crashed again
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
Restart your sys in Safe Mode, delete that file C:\WINDOWS\system32\mst120.dll, and then run Combofix while still in Safe Mode.
Deep, deep in the woods, but walking about.
•
•
Join Date: Apr 2007
Posts: 53
Reputation:
Solved Threads: 1
Junior Poster in Training
its running in safe mode now, thank god, but I'm getting a message that says:
"Combo Fix has detected that this machine does not have the windows recovery console.
It would be in your BEST INTEREST to have it installed now. Would you like to do so. Note -* This will require an internet connection
"Combo Fix has detected that this machine does not have the windows recovery console.
It would be in your BEST INTEREST to have it installed now. Would you like to do so. Note -* This will require an internet connection
•
•
Join Date: May 2005
Posts: 3,204
Reputation:
Solved Threads: 188
We can ignore that. Nice to have it installed though, in any case. Does not take up much disk space. But the installation cd carries it, and is not too inconvenient.
Last edited by gerbil; Dec 2nd, 2008 at 12:27 am.
Deep, deep in the woods, but walking about.
•
•
Join Date: Apr 2007
Posts: 53
Reputation:
Solved Threads: 1
Junior Poster in Training
ok it detected rookit activity and rebooted. Should I put it back into safe mode or should I let it start up completely. And is that it? or will it keep running. Or do I need to start it again?
EDIT:// Perhaps I should stop asking so many questions and just let you help me =p
EDIT:// Ok scratch that. Like I said, getting ahead of myself. It started itself back up already. =p I should be more patient.
EDIT:// Perhaps I should stop asking so many questions and just let you help me =p
EDIT:// Ok scratch that. Like I said, getting ahead of myself. It started itself back up already. =p I should be more patient.
Last edited by whoost; Dec 2nd, 2008 at 12:34 am. Reason: I'm stupid and impatient
•
•
Join Date: Apr 2007
Posts: 53
Reputation:
Solved Threads: 1
Junior Poster in Training
Yay. Briefly scanning over the results I liked what I saw. I recognized a few of the startup values I had disabled a few days ago in the deleted section. Still I am no expert (or beginner for that matter), and thus I hand it over to you =]
--------------------------------------------------------------------------------------
ComboFix 08-12-01.01 - Meredith 2008-12-01 22:33:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.616 [GMT -6:00]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Meredith\Application Data\google\runhh6110411.exe
c:\documents and settings\Meredith\nah_log.dat
c:\documents and settings\Meredith\nah_vlfg.exe
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\setup.exe
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSrfpc.sys
c:\windows\system32\mst120.dll
c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSScshc.dll
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSojtp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSurev.dll
c:\windows\system32\TDSSwhke.log
c:\windows\system32\TDSSxnyq.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-12-01 20:40 . 2008-12-01 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:40 . 2008-12-01 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 20:40 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:40 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 00:43 . 2008-12-01 07:33 <DIR> d-------- c:\documents and settings\Meredith\Application Data\HouseCall 6.6
2008-12-01 00:43 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 23:40 . 2008-12-01 21:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 23:39 . 2008-11-30 23:40 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-30 22:56 . 2008-11-30 22:56 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 18:39 . 2008-12-01 22:34 <DIR> d-------- c:\program files\Common
2008-11-11 17:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:09 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 22:05 . 2008-11-10 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-10 22:03 . 2008-11-10 22:04 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-10 22:03 . 2008-11-10 22:03 <DIR> d-------- C:\38f61e275566562062
2008-11-09 21:20 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2008-11-09 21:20 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2008-11-09 21:19 . 2006-12-29 00:31 19,569 --a------ c:\windows\000002_.tmp
2008-11-09 21:09 . 2008-11-09 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Auslogics
2008-11-09 20:47 . 2008-10-03 11:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 20:47 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 20:47 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 20:47 . 2008-08-26 01:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 20:47 . 2008-08-26 01:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 20:47 . 2008-08-26 01:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 20:47 . 2008-08-26 01:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 20:47 . 2008-08-26 01:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 20:47 . 2008-08-25 02:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 12:58 . 2008-11-09 12:58 <DIR> dr-h----- C:\MSOCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 05:57 --------- d-----w c:\program files\Common Files\AOL
2008-12-01 05:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 05:49 --------- d-----w c:\program files\Google
2008-12-01 05:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 05:48 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-01 05:47 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-01 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-30 20:12 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-11-30 20:12 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-11 04:03 --------- d-----w c:\program files\Windows Media Connect
2008-11-02 04:47 --------- d-----w c:\documents and settings\Meredith\Application Data\AusLogics
2008-11-02 03:44 --------- d-----w c:\program files\Auslogics
2008-10-30 03:01 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:01 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-30 03:00 --------- d-----w c:\program files\AVG
2008-10-30 03:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-27 05:03 --------- d-----w c:\documents and settings\Meredith\Application Data\LimeWire
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft Works
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 03:32 --------- d-----w c:\program files\Java
2008-10-24 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 03:23 --------- d-----w c:\program files\Symantec
2008-10-23 02:48 --------- d-----w c:\documents and settings\Meredith\Application Data\Sibelius Software
2008-10-23 02:47 --------- d-----w c:\program files\Musicnotes
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.
------- Sigcheck -------
2004-08-13 17:01 502784 ea16f83b5e4964c100f6098ce9874927 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-11-30 14:12 507904 3969440ba384d35317dbbdeeaae641ce c:\windows\system32\winlogon.exe
2005-03-10 01:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 14:12 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-29 1234712]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-29 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-29 231704]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB []
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 2\IcVzMon.exe [2006-09-15 32768]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c54c8fe1-a62d-11dd-8ae9-0018de2649fa}]
\Shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 22:35:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSrfpc.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2008-12-01 22:36:14
ComboFix-quarantined-files.txt 2008-12-02 04:36:11
Pre-Run: 57,080,131,584 bytes free
Post-Run: 57,076,793,344 bytes free
182 --- E O F --- 2008-11-21 23:00:49
--------------------------------------------------------------------------------------
ComboFix 08-12-01.01 - Meredith 2008-12-01 22:33:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.616 [GMT -6:00]
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Meredith\Application Data\google\runhh6110411.exe
c:\documents and settings\Meredith\nah_log.dat
c:\documents and settings\Meredith\nah_vlfg.exe
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\setup.exe
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSrfpc.sys
c:\windows\system32\mst120.dll
c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSScshc.dll
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSojtp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSurev.dll
c:\windows\system32\TDSSwhke.log
c:\windows\system32\TDSSxnyq.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.
2008-12-01 20:40 . 2008-12-01 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:40 . 2008-12-01 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 20:40 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:40 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 00:43 . 2008-12-01 07:33 <DIR> d-------- c:\documents and settings\Meredith\Application Data\HouseCall 6.6
2008-12-01 00:43 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 23:40 . 2008-12-01 21:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 23:39 . 2008-11-30 23:40 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-30 22:56 . 2008-11-30 22:56 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 18:39 . 2008-12-01 22:34 <DIR> d-------- c:\program files\Common
2008-11-11 17:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:09 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 22:05 . 2008-11-10 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-10 22:03 . 2008-11-10 22:04 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-10 22:03 . 2008-11-10 22:03 <DIR> d-------- C:\38f61e275566562062
2008-11-09 21:20 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2008-11-09 21:20 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2008-11-09 21:19 . 2006-12-29 00:31 19,569 --a------ c:\windows\000002_.tmp
2008-11-09 21:09 . 2008-11-09 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Auslogics
2008-11-09 20:47 . 2008-10-03 11:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 20:47 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 20:47 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 20:47 . 2008-08-26 01:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 20:47 . 2008-08-26 01:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 20:47 . 2008-08-26 01:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 20:47 . 2008-08-26 01:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 20:47 . 2008-08-26 01:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 20:47 . 2008-08-25 02:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 12:58 . 2008-11-09 12:58 <DIR> dr-h----- C:\MSOCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 05:57 --------- d-----w c:\program files\Common Files\AOL
2008-12-01 05:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 05:49 --------- d-----w c:\program files\Google
2008-12-01 05:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 05:48 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-01 05:47 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-01 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-30 20:12 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-11-30 20:12 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-11 04:03 --------- d-----w c:\program files\Windows Media Connect
2008-11-02 04:47 --------- d-----w c:\documents and settings\Meredith\Application Data\AusLogics
2008-11-02 03:44 --------- d-----w c:\program files\Auslogics
2008-10-30 03:01 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:01 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-30 03:00 --------- d-----w c:\program files\AVG
2008-10-30 03:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-27 05:03 --------- d-----w c:\documents and settings\Meredith\Application Data\LimeWire
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft Works
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 03:32 --------- d-----w c:\program files\Java
2008-10-24 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 03:23 --------- d-----w c:\program files\Symantec
2008-10-23 02:48 --------- d-----w c:\documents and settings\Meredith\Application Data\Sibelius Software
2008-10-23 02:47 --------- d-----w c:\program files\Musicnotes
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.
------- Sigcheck -------
2004-08-13 17:01 502784 ea16f83b5e4964c100f6098ce9874927 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-11-30 14:12 507904 3969440ba384d35317dbbdeeaae641ce c:\windows\system32\winlogon.exe
2005-03-10 01:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 14:12 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-29 1234712]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-29 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-29 231704]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB []
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 2\IcVzMon.exe [2006-09-15 32768]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c54c8fe1-a62d-11dd-8ae9-0018de2649fa}]
\Shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 22:35:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSrfpc.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2008-12-01 22:36:14
ComboFix-quarantined-files.txt 2008-12-02 04:36:11
Pre-Run: 57,080,131,584 bytes free
Post-Run: 57,076,793,344 bytes free
182 --- E O F --- 2008-11-21 23:00:49
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Explorer.exe Crashing and Rebooting
- Next Thread: Search Engine Redirect / Blocked Access to Tech/Support Sites
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday