Wierd case of Ispynow

Question

whoost

15 Years Ago

Ok, so I have a computer mysteriously and quite interestingly infected with the Spyware.Ispynow . The usual "Windows Security Center" Pop-up shows, and when you try to close it, IE7 comes up but immediately crashes itself or freezes the whole computer. I
tried running IE7 to download Malwarebytes to scan it, but no luck. The only site that worked was Google, and every search I had resulted in the usual behaviour of redirecting to go.google (and at one point some not so child friendly sites). The wireless won't pick up any connections, so I'm plugged in directly, and the Windows Firewall service is disabled. Also, AVG is being blocked from updating, though that probably doesn't matter too much.

The really wierd part is that after retrieving Malwarebytes from my trusty flash drive and downloading HijackThis through firefox portable, which by the way, seemed to work normal except that it crashed incredibly often, Malwarebytes would not install. I checked the process list and I saw at least three instances of mbam-setup.exe, I'm guessing from the three times I tried to run it. The one thing I was able to do was open the startup manager and disable some unfamiliar startup entries, which seemed to have surpressed the "Windows Security Center" Pop-up and allowed me to browse for the most part in IE7. Still, it seems to be disabling my firewall and blocking some of my connections.

I already have a Hijackthis log that I can post when necessary, and i could attach a list/screenshot of the startup values I disabled as well if that would help.

Thanks in advanced for the time, I really appreciate you guys

windows-virus

4 Contributors
23 Replies
206 Views
2 Days Discussion Span
Latest Post 15 Years Ago Latest Post by gerbil

All 23 Replies

gerbil 216 Industrious Poster

15 Years Ago

Please post that Hijackthis log, you have more than Ispynow on the machine, I think. Delete the copy of MBAM installer [mbam-setup.exe] from your machine, load in a fresh copy from your flashdrive, rename the MBAM installer to mybam-setup.exe, run it. It should work. Then:
-ensure that it is set to update and start, else start it via the icon.
Select "Perform Quick Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Post the Notepad log [it is also saved under Logs tab in MBAM].

gerbil 216 Industrious Poster

15 Years Ago

whoost, start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll

Delete C:\WINDOWS\system32\mst120.dll
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

gerbil 216 Industrious Poster

15 Years Ago

Restart your sys in Safe Mode, delete that file C:\WINDOWS\system32\mst120.dll, and then run Combofix while still in Safe Mode.

gerbil 216 Industrious Poster

15 Years Ago

We can ignore that. Nice to have it installed though, in any case. Does not take up much disk space. But the installation cd carries it, and is not too inconvenient.

gerbil 216 Industrious Poster

15 Years Ago

K, as I thought, there was a rootkit attached to that spyware, which hid it.
I must stop for 20 mins, will get back to you within the half hour.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

whoost · Answer 1 · 2008-12-02T09:05:55+00:00

Ok, I got MBAM to install, but it was like pulling teeth. I renamed the file and was surprised that it even opened, because before, the process would register but I wouldn't even see a window. This time, the window popped up right away with the renamed file, and I thought I was golden. However, the installation process kept freezing. I opened the task manager and noticed that in addition to mymbamsetup.exe, there were several instances of mbam.exe already open, before the installation had completed. After waiting a few minutes to see if it would clear up, I simply killed all of the extra mbam.exe processes, and the installation crept forward to about 80%. I checked the process list again, and two more had popped up. I deleted these, and the program finished installing successfully. I clicked Finish with the Update and Run buttons checked. The install process ended, but mbam.exe reappeared and nothing happened. Of course, killing it this time would be killing the program itself, as there was only one instance. I never found out though, because the computer froze. I restarted and tried to open and run MBAM again, but the same thing happened. I opened in safe mode, and still, the program would not run. So that's where I am now.

I have the option of removing this laptop's hard drive and slaving it. Would that allow MBAM to run the same? I've only ever used it on computers I was working on.

Anyways, that said, here is the HijackThis log

----------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:59 AM, on 12/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ntvdm.exe
G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
C:\Documents and Settings\Meredith\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224820913515
O18 - Filter hijack: text/html - {7983b7fb-57b3-4360-8616-c6e6b164031e} - C:\WINDOWS\system32\mst120.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 10201 bytes

---------------------------------------------------------------------------------

whoost · Answer 2 · 2008-12-02T10:02:38+00:00

I found the entry and deleted and was getting ready to start the ComboFix when the computer froze. I restarted and it hung on the welcome screen twice before the third reboot got it back to the desktop. I tried HijackThis again with the presumption that the entry would recreate itself on restart. It did, so I deleted it again and the system reacted normally. But when I tried to start the comboFix it showed the process in task manager but nothing happened again.

I don't know about you, but this hanging game is getting old pretty quick with me.

What do you suppose I do?

Edit:// Apparently this bug hates the Windows Explorer Search Feature as well. I just accidentally hit search in a My Documents window and the whole computer froze again

whoost · Answer 3 · 2008-12-02T10:18:09+00:00

its running in safe mode now, thank god, but I'm getting a message that says:

"Combo Fix has detected that this machine does not have the windows recovery console.

It would be in your BEST INTEREST to have it installed now. Would you like to do so. Note -* This will require an internet connection

whoost · Answer 4 · 2008-12-02T10:33:19+00:00

ok it detected rookit activity and rebooted. Should I put it back into safe mode or should I let it start up completely. And is that it? or will it keep running. Or do I need to start it again?

EDIT:// Perhaps I should stop asking so many questions and just let you help me =p

EDIT:// Ok scratch that. Like I said, getting ahead of myself. It started itself back up already. =p I should be more patient.

whoost · Answer 5 · 2008-12-02T10:40:25+00:00

Yay. Briefly scanning over the results I liked what I saw. I recognized a few of the startup values I had disabled a few days ago in the deleted section. Still I am no expert (or beginner for that matter), and thus I hand it over to you =]

--------------------------------------------------------------------------------------

ComboFix 08-12-01.01 - Meredith 2008-12-01 22:33:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.616 [GMT -6:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Meredith\Application Data\google\runhh6110411.exe
c:\documents and settings\Meredith\nah_log.dat
c:\documents and settings\Meredith\nah_vlfg.exe
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\windows\setup.exe
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSrfpc.sys
c:\windows\system32\mst120.dll
c:\windows\system32\TDSSblal.dat
c:\windows\system32\TDSScshc.dll
c:\windows\system32\TDSSdlpb.dll
c:\windows\system32\TDSSkfkl.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSojtp.dll
c:\windows\system32\TDSSqogd.log
c:\windows\system32\TDSSurev.dll
c:\windows\system32\TDSSwhke.log
c:\windows\system32\TDSSxnyq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 20:40 . 2008-12-01 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:40 . 2008-12-01 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 20:40 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:40 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 00:43 . 2008-12-01 07:33 <DIR> d-------- c:\documents and settings\Meredith\Application Data\HouseCall 6.6
2008-12-01 00:43 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 23:40 . 2008-12-01 21:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 23:39 . 2008-11-30 23:40 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-30 22:56 . 2008-11-30 22:56 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 18:39 . 2008-12-01 22:34 <DIR> d-------- c:\program files\Common
2008-11-11 17:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:09 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 22:05 . 2008-11-10 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-10 22:03 . 2008-11-10 22:04 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-10 22:03 . 2008-11-10 22:03 <DIR> d-------- C:\38f61e275566562062
2008-11-09 21:20 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2008-11-09 21:20 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2008-11-09 21:19 . 2006-12-29 00:31 19,569 --a------ c:\windows\000002_.tmp
2008-11-09 21:09 . 2008-11-09 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Auslogics
2008-11-09 20:47 . 2008-10-03 11:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 20:47 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 20:47 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 20:47 . 2008-08-26 01:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 20:47 . 2008-08-26 01:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 20:47 . 2008-08-26 01:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 20:47 . 2008-08-26 01:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 20:47 . 2008-08-26 01:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 20:47 . 2008-08-25 02:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 12:58 . 2008-11-09 12:58 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 05:57 --------- d-----w c:\program files\Common Files\AOL
2008-12-01 05:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 05:49 --------- d-----w c:\program files\Google
2008-12-01 05:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 05:48 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-01 05:47 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-01 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-30 20:12 507,904 ----a-w c:\windows\system32\winlogon.exe
2008-11-30 20:12 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-11 04:03 --------- d-----w c:\program files\Windows Media Connect
2008-11-02 04:47 --------- d-----w c:\documents and settings\Meredith\Application Data\AusLogics
2008-11-02 03:44 --------- d-----w c:\program files\Auslogics
2008-10-30 03:01 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:01 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2008-10-30 03:00 --------- d-----w c:\program files\AVG
2008-10-30 03:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-27 05:03 --------- d-----w c:\documents and settings\Meredith\Application Data\LimeWire
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft Works
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 03:32 --------- d-----w c:\program files\Java
2008-10-24 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 03:23 --------- d-----w c:\program files\Symantec
2008-10-23 02:48 --------- d-----w c:\documents and settings\Meredith\Application Data\Sibelius Software
2008-10-23 02:47 --------- d-----w c:\program files\Musicnotes
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

------- Sigcheck -------

2004-08-13 17:01 502784 ea16f83b5e4964c100f6098ce9874927 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-11-30 14:12 507904 3969440ba384d35317dbbdeeaae641ce c:\windows\system32\winlogon.exe

2005-03-10 01:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 14:12 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-29 1234712]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-29 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-29 231704]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB []
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 2\IcVzMon.exe [2006-09-15 32768]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c54c8fe1-a62d-11dd-8ae9-0018de2649fa}]
\Shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-01 22:35:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSrfpc.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2008-12-01 22:36:14
ComboFix-quarantined-files.txt 2008-12-02 04:36:11

Pre-Run: 57,080,131,584 bytes free
Post-Run: 57,076,793,344 bytes free

182 --- E O F --- 2008-11-21 23:00:49

whoost · Answer 6 · 2008-12-02T11:39:04+00:00

ah, no worries. Take your time, I'm headed to sleep in a moment anyways. I'll check back tomorrow morning and see how things are going.

Thank you very much for your help, I was thoroughly impressed with your quick response time =]

gerbil 216 Industrious Poster · Answer 7 · 2008-12-02T11:46:35+00:00

Nice!
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
C:\WINDOWS\system32\drivers\TDSSrfpc.sys
c:\windows\000002_.tmp

Driver::
TDSSrfpc

Service::
TDSSSERV

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\TDSSserv.sys]

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
And could you now try to install and run MBAM, please? Update and run the Quick scan.

whoost · Answer 8 · 2008-12-03T06:35:47+00:00

ComboFix 08-12-01.01 - Meredith 2008-12-02 17:28:14.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.530 [GMT -6:00]
Running from: c:\documents and settings\Meredith\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Meredith\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\000002_.tmp
c:\windows\system32\drivers\TDSSrfpc.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\000002_.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-02 to 2008-12-02 )))))))))))))))))))))))))))))))
.

2008-12-01 20:40 . 2008-12-01 20:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:40 . 2008-12-01 20:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 20:40 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:40 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-01 00:43 . 2008-12-01 07:33 <DIR> d-------- c:\documents and settings\Meredith\Application Data\HouseCall 6.6
2008-12-01 00:43 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-30 23:52 . 2008-12-01 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-30 23:40 . 2008-12-01 21:59 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 23:39 . 2008-11-30 23:40 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-30 22:56 . 2008-11-30 22:56 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 18:39 . 2008-12-01 22:34 <DIR> d-------- c:\program files\Common
2008-11-11 17:09 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:09 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-10 22:05 . 2008-11-10 22:05 <DIR> d-------- c:\program files\Windows Media Connect 2
2008-11-10 22:03 . 2008-11-10 22:04 <DIR> d-------- c:\windows\system32\drivers\UMDF
2008-11-10 22:03 . 2008-11-10 22:03 <DIR> d-------- C:\38f61e275566562062
2008-11-09 21:20 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2008-11-09 21:20 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2008-11-09 21:09 . 2008-11-09 21:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Auslogics
2008-11-09 20:47 . 2008-10-03 11:41 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-11-09 20:47 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-11-09 20:47 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-11-09 20:47 . 2008-08-26 01:24 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-11-09 20:47 . 2008-08-26 01:24 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-11-09 20:47 . 2008-08-26 01:24 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-11-09 20:47 . 2008-08-26 01:24 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-11-09 20:47 . 2008-08-26 01:24 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-11-09 20:47 . 2008-08-25 02:38 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-11-09 12:58 . 2008-11-09 12:58 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-01 05:57 --------- d-----w c:\program files\Common Files\AOL
2008-12-01 05:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-01 05:49 --------- d-----w c:\program files\Google
2008-12-01 05:48 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-01 05:48 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2008-12-01 05:47 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-12-01 05:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-11 04:03 --------- d-----w c:\program files\Windows Media Connect
2008-11-02 04:47 --------- d-----w c:\documents and settings\Meredith\Application Data\AusLogics
2008-11-02 03:44 --------- d-----w c:\program files\Auslogics
2008-10-30 03:01 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-10-30 03:00 --------- d-----w c:\program files\AVG
2008-10-30 03:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-10-27 05:03 --------- d-----w c:\documents and settings\Meredith\Application Data\LimeWire
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft Works
2008-10-25 04:22 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 03:32 --------- d-----w c:\program files\Java
2008-10-24 03:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-24 03:23 --------- d-----w c:\program files\Symantec
2008-10-23 02:48 --------- d-----w c:\documents and settings\Meredith\Application Data\Sibelius Software
2008-10-23 02:47 --------- d-----w c:\program files\Musicnotes
.

------- Sigcheck -------

2004-08-13 17:01 502784 ea16f83b5e4964c100f6098ce9874927 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2008-11-30 14:12 507904 3969440ba384d35317dbbdeeaae641ce c:\windows\system32\winlogon.exe

2005-03-10 01:49 295424 c29a5286e64d97385178452d5f307b98 c:\windows\$NtServicePackUninstall$\termsrv.dll
2008-04-13 18:12 295424 ff3477c03be7201c294c35f684b3479f c:\windows\ServicePackFiles\i386\termsrv.dll
2008-11-30 14:12 295424 63999d0abd8dabfd76a9c07f6e104868 c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((( snapshot@2008-12-01_22.35.53.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-02 23:30:26 16,384 ----atw c:\windows\temp\Perflib_Perfdata_770.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-04-05 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-04-05 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-04-05 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-08-10 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-11 151552]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-10-29 1234712]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-10-29 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-29 231704]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB []
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" []
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\Image Converter 2\IcVzMon.exe [2006-09-15 32768]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c54c8fe1-a62d-11dd-8ae9-0018de2649fa}]
\Shell\AutoRun\command - g:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 17:30:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\dllhost.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-02 17:34:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-02 23:34:25
ComboFix2.txt 2008-12-02 23:16:29
ComboFix3.txt 2008-12-02 04:36:15

Pre-Run: 57,059,033,088 bytes free
Post-Run: 57,044,090,880 bytes free

180 --- E O F --- 2008-11-21 23:00:49

---------------------------------------------------------------------------------

MBAM installed wonderfully, quick scan log is as follows:

Malwarebytes' Anti-Malware 1.30
Database version: 1450
Windows 5.1.2600 Service Pack 3

12/2/2008 6:36:19 PM
mbam-log-2008-12-02 (18-36-19).txt

Scan type: Quick Scan
Objects scanned: 54314
Time elapsed: 5 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Meredith\Application Data\Google\mscscc.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

gerbil 216 Industrious Poster · Answer 9 · 2008-12-03T07:30:58+00:00

Sweet. How are things now?
Run this: Go Start, paste in:
combofix /u
-this will uninstall combofix and remove quarantined files.
Post a final hijackthis log.

whoost · Answer 10 · 2008-12-03T11:20:03+00:00

Everything seems to be running fine :icon_smile:

-----------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:29 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Meredith\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224820913515
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 9613 bytes

cohen 17 Practically a Posting Shark Featured Poster · Answer 11 · 2008-12-03T11:51:35+00:00

Beautiful, well the processes in the first hijackthis log that were causing problems are gone, which is good.

Just wait for Crunchie or judy, or even gerbil, and either of them, if not all of them will confirm if the log is clean. If not, they will recommend necessary actions needed to be taken.

At least it has fixed the previous problem :)

Cohen :)

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2008-12-03T12:03:36+00:00

Your Java needs updating. Uninstall all versions from add/remove programs, then download the latest version.

http://www.java.com/en/download/manual.jsp

Delete the following line from hijackthis after closing ALL instances of Internet Exploder;

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

whoost · Answer 13 · 2008-12-04T05:40:11+00:00

whoost

15 Years Ago

done =]. Post new logs?

gerbil 216 Industrious Poster · Answer 14 · 2008-12-04T05:59:55+00:00

No, that should be all, whoost. Play safe out there... :)
Basically, there should be no need to have anything in the internet trusted zone because that bypasses certificate checking. Safe sites are safe by definition, so no need to have them in there.

whoost · Answer 15 · 2008-12-04T06:14:01+00:00

Thank you all, very very much =]. Oh I do play safe, this was caused while I was away and not on my own computer, and I will be having a little chitchat with the culprit, though it's still unclear where exactly this mishap came from. By the way, windows firewall was disabled during this predicament because the firewall is controlled by the registry, right? Since obviously my best efforts to teach safe computer habits are not fool-proof ('build a better idiot' and whatnot), could you tell me if you deem it necessary to install a 3rd party firewall, and if so, which one?

gerbil 216 Industrious Poster · Answer 16 · 2008-12-04T06:54:41+00:00

Sure. I use Comodo Firewall Pro [it's free... they get their money from certifying secure sites].. but it will drive the casual puter user nuts. It is very comprehensive, possibly the best; you can spend hours working out its capabilities, and it is not set n ferget. But it is very good.
ZoneAlarm is good, and not demanding at all.
I can only speak from personal experience... I am not a reviewer; these are things I use/have used.

excellent dedication and speediest response I've ever been given

whoost · Answer 17 · 2008-12-04T09:23:10+00:00

lovely. Yes, Comodo was quite the adventure when I tried it. I loved the control it had so much, especially the learning feature, but it drove my brothers crazy. Luckily, you seemed to anticipate this and mentioned Zone Alarm, which was exactly what I was looking for. I appreciate (and trust) your recommendation, certainly =]. Thanks again for the time and dedication.

gerbil 216 Industrious Poster · Answer 18 · 2008-12-04T11:42:38+00:00

Cheers, whoost.
Firewalls.. there's always another one: Online Armour V2 free from http://www.tallemu.com
Highly rated, more than ZA, I believe.

Wierd case of Ispynow

Recommended Answers Collapse Answers

All 23 Replies

Recommended Answers