HELP!!! Virus completely locked me out

Discussion in 'Computer Security' started by ih8puters, Jun 17, 2008.

Thread Status:
Not open for further replies.
  1. ih8puters

    ih8puters New Member

    Messages:
    25
    Yesterday I found out my computer was infected with spyware and a trojan virus. I use Norton 360 which did not detect anything. My cable company actually sent me a message saying my internet settings were changed by a virus and that I needed to run my antivirus/spyware protection software. I ran norton which said it removed something but my computer was still acting funny. I downloaded AVG which I've used in the past and it found other items which were removed. My computer ran progressivly slower and slower. I could not press ctrl, alt, delete as I get a message saying the administrator has it locked. I restarted my computer and now I get a login screen saying the computer has been locked by it's administrator and will not allow me to do anything. PLEASE HELP ME. I have absolutely no idea what I am doing. I am a real estate investor and desperately need the files stored on this computer.

    Thank you
     
  2. G25r8cer

    G25r8cer Active Member

    Messages:
    6,261
    Have you tried booting into safe mode? When the bios page (page that says your pc make) appears repeatedly hit F8 key until a black page appears. Hit the arrow down key until "safe mode (no network)" is highlighted and hit "enter".
     
  3. PCC_Australia

    PCC_Australia New Member

    Messages:
    74
    Sounds quite odd to say the least. You are the administrator of your computer aren't you? and you can remember the password? If not try the Windows defaults:

    username: administrator or admin

    leave the password field blank and hit ok or enter on your keyboard.

    As for the Virus. Sometimes after a scan is completed and results are returned, it is good to take a look at the paths of the infected files and manually navigate to the folder where the assumed infected file is found and manually delete that file.

    Let us know how you go, as far as accessing your desktop etc.
     
  4. G25r8cer

    G25r8cer Active Member

    Messages:
    6,261
    Also. If you have both AVG and Norton installed that is BAD. You need to get rid of one of them. I recommend sticking with AVG and dump norton. Un-install norton once you get into safe mode.
     
  5. ih8puters

    ih8puters New Member

    Messages:
    25
    Thank you very much for the quick reply. At the log-in screen I couldn't type anything it was "grayed" out. I rebooted the computer pressing f8 as suggested by one of the previous posts. I now have AVG running another scan and it has picked up a lot of stuff. The only thing I recognize is trojan.....I see Trojan.bomka , trojan.killproc.h , trojan.goldun.u , trojan. conhook.b , trojan.Zlob.f , Trojan.PWS.cu , etc. My computer has always ran fine until this happened yesterday. AVG has identified a lot of stuff but I'm completely ignorant about this. How do I know what I'm dealing with to even begin to remove it.
     
  6. PCC_Australia

    PCC_Australia New Member

    Messages:
    74
    You can generally look up the definitions on any known good Anti Virus manufacturers website.

    Personally, i just type the name of the virus into a google search and see whether or not the virus attaches itself to a program or frequently used file within Windows itself.

    If you are unsure if the file is used alot and is a core component of daily software activites, just quarantine the file to be sure.

    Hope this helps
     
  7. ih8puters

    ih8puters New Member

    Messages:
    25
    is it possible to get so many virus' at once? My computer was fine until yesterday. Now AVG has a HUGE list of things
     
  8. ceewi1

    ceewi1 VIP Member

    Messages:
    5,426
    Post a HijackThis log:

    Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

    Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

    Click Do a system scan and save a logfile

    When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
    Most of what it lists will be harmless or even essential, don't fix anything yet.
     
  9. ceewi1

    ceewi1 VIP Member

    Messages:
    5,426
    Yes, it's not unusual for an infection to download reinforcements. I suggest you spend as little time on the Internet as possible with the infected machine.
     
  10. ih8puters

    ih8puters New Member

    Messages:
    25
    Working on that now. I will post results ASAP
     
  11. ih8puters

    ih8puters New Member

    Messages:
    25
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:16:40 PM, on 6/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG8\avgui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
    O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
    O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
    O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
    O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
    O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
    O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
    O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
    O2 - BHO: targetedbanner browser optimizer - {605ce638-5c90-784e-e4e9-df9f4fc8b7f9} - C:\WINDOWS\system32\{c95a7f07-3e28-79a2-1747-96faf47f0e44}.dll
    O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
    O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
    O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
    O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
    O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
    O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
    O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file)
    O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
    O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
    O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
    O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
    O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
    O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll (file missing)
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [{ae452549-24f2-e1b4-220c-e7679ad1abb7}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{c95a7f07-3e28-79a2-1747-96faf47f0e44}.dll" DllStart
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [GetModule18] "C:\Program Files\GetModule\GetModule18.exe"
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

    --
    End of file - 13600 bytes
     
  12. ceewi1

    ceewi1 VIP Member

    Messages:
    5,426
    Your system is quite badly infected.

    Please download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to C:\SDFix

    You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

    Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Paste the contents of the Report.txt back on the forum in your next reply.

    Please visit this webpage for instructions for downloading and running ComboFix:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Please post
    • The SDFix log
    • The ComboFix log
    • A new HijackThis log
     
  13. ih8puters

    ih8puters New Member

    Messages:
    25
    Working on that now. Thank you very much for your help. Is this something that is going to be "saveable?" I was in a chat room with someone that told me to just reinstall windows.
     
  14. ih8puters

    ih8puters New Member

    Messages:
    25
    I'm in safe mode running SDFix I have a black box that says:

    Starting Repairs

    Checking Running Processes and Services


    It doesn't look like it's doing anything but I don't want to mess it up. Should something be happening on the screen? Is this a process that takes a few minutes or does it take time.

    Thanks again for your help I appreciate it.
     
  15. ih8puters

    ih8puters New Member

    Messages:
    25
    SDFix Log

    SDFix: Version 1.193
    Run by Jamie on Mon 06/16/2008 at 11:17 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
    C:\Program Files\iCheck\iCheck.exe - Deleted
    C:\Program Files\iCheck\Uninstall.exe - Deleted
    C:\Program Files\p2pnetworks\AlConfig.xml - Deleted
    C:\Program Files\p2pnetworks\alp2plib.log - Deleted
    C:\Program Files\p2pnetworks\alp2plib.log.bak - Deleted
    C:\Program Files\p2pnetworks\install.log - Deleted
    C:\Program Files\p2pnetworks\sp2p.cache - Deleted
    C:\Program Files\p2pnetworks\uninst.exe - Deleted
    C:\WINDOWS\x.exe - Deleted
    C:\WINDOWS\y.exe - Deleted
    C:\WINDOWS\accesss.exe - Deleted
    C:\WINDOWS\astctl32.ocx - Deleted
    C:\WINDOWS\avpcc.dll - Deleted
    C:\WINDOWS\clrssn.exe - Deleted
    C:\WINDOWS\cpan.dll - Deleted
    C:\WINDOWS\ctfmon32.exe - Deleted
    C:\WINDOWS\ctrlpan.dll - Deleted
    C:\WINDOWS\default.htm - Deleted
    C:\WINDOWS\directx32.exe - Deleted
    C:\WINDOWS\dnsrelay.dll - Deleted
    C:\WINDOWS\editpad.exe - Deleted
    C:\WINDOWS\explore.exe - Deleted
    C:\WINDOWS\explorer32.exe - Deleted
    C:\WINDOWS\funniest.exe - Deleted
    C:\WINDOWS\funny.exe - Deleted
    C:\WINDOWS\gfmnaaa.dll - Deleted
    C:\WINDOWS\helpcvs.exe - Deleted
    C:\WINDOWS\iedll.exe - Deleted
    C:\WINDOWS\iexplorer.exe - Deleted
    C:\WINDOWS\inetinf.exe - Deleted
    C:\WINDOWS\internet.exe - Deleted
    C:\WINDOWS\loader.exe - Deleted
    C:\WINDOWS\msconfd.dll - Deleted
    C:\WINDOWS\msspi.dll - Deleted
    C:\WINDOWS\mssys.exe - Deleted
    C:\WINDOWS\msupdate.exe - Deleted
    C:\WINDOWS\mswsc10.dll - Deleted
    C:\WINDOWS\mswsc20.dll - Deleted
    C:\WINDOWS\mtwirl32.dll - Deleted
    C:\WINDOWS\notepad32.exe - Deleted
    C:\WINDOWS\olehelp.exe - Deleted
    C:\WINDOWS\qttasks.exe - Deleted
    C:\WINDOWS\quicken.exe - Deleted
    C:\WINDOWS\rundll16.exe - Deleted
    C:\WINDOWS\rundll32.vbe - Deleted
    C:\WINDOWS\searchword.dll - Deleted
    C:\WINDOWS\sistem.exe - Deleted
    C:\WINDOWS\svchost32.exe - Deleted
    C:\WINDOWS\svcinit.exe - Deleted
    C:\WINDOWS\systeem.exe - Deleted
    C:\WINDOWS\systemcritical.exe - Deleted
    C:\WINDOWS\system32\hljwugsf.bin - Deleted
    C:\WINDOWS\system32\pac.txt - Deleted
    C:\WINDOWS\time.exe - Deleted
    C:\WINDOWS\users32.exe - Deleted
    C:\WINDOWS\waol.exe - Deleted
    C:\WINDOWS\win32e.exe - Deleted
    C:\WINDOWS\win64.exe - Deleted
    C:\WINDOWS\winajbm.dll - Deleted
    C:\WINDOWS\window.exe - Deleted
    C:\WINDOWS\winmgnt.exe - Deleted
    C:\WINDOWS\xplugin.dll - Deleted
    C:\WINDOWS\xxxvideo.hta - Deleted



    Folder C:\Program Files\GetModule - Removed
    Folder C:\Program Files\iCheck - Removed
    Folder C:\Program Files\p2pnetworks - Removed


    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-16 23:30:23
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clb.dll]
    "0"=hex:00,00,28,0a,01,00,05,00
    "1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver]
    "type"=dword:00000001
    "start"=dword:00000001
    "imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clb.dll]
    "0"=hex:00,00,28,0a,01,00,05,00
    "1"=hex:b6,00,b6,eb,2f,6b,03,cb,5a,e8,c3,ac,b9,40,38,e1
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatex.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:cf,24,2a,85,a4,d7,fe,3c,03,76,96,fe,18,b6,ec,d3
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\clbcatq.dll]
    "0"=hex:2a,00,3e,11,0c,00,d1,07
    "1"=hex:6a,b7,9d,1d,7d,d8,1d,46,23,79,12,2a,da,6a,19,42
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\clbdriver.sys]
    @="driver"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clbdriver]
    "type"=dword:00000001
    "start"=dword:00000001
    "imagepath"=str(2):"\??\globalroot\systemroot\system32\drivers\clbdriver.sys"

    scanning hidden registry entries ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\clbImageData]
    "affid"="7"
    "subid"="c001"
    "control"=hex:1a,00,15,13,07,11,18,1f,14,0a,49,09,4b,1a,09,50,11,e5,f5
    "prov"="10010"
    "googleadserver"="pagead2.googlesyndication.com"
    "flagged"=dword:00000001

    scanning hidden files ...

    C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll 110080 bytes executable
    C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll 498688 bytes executable
    C:\WINDOWS\system32\clb.dll 10752 bytes executable
    C:\WINDOWS\system32\clbcatex.dll 110080 bytes executable
    C:\WINDOWS\system32\clbcatq.dll 498688 bytes executable
    C:\WINDOWS\system32\clbdll.dll 43520 bytes executable
    C:\WINDOWS\system32\clbinit.dll 1693 bytes
    C:\WINDOWS\system32\drivers\clbdriver.sys 10240 bytes executable
    C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll 110080 bytes executable
    C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll 501248 bytes executable

    scan completed successfully
    hidden processes: 0
    hidden services: 1
    hidden files: 10


    Remaining Services :




    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
    "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
    "C:\\Program Files\\p2pnetworks\\p2pnetworks.exe"="C:\\Program Files\\p2pnetworks\\p2pnetworks.exe:*:Enabled:p2PNetworks"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
    "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Mon 13 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
    Mon 13 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
    Mon 13 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
    Mon 21 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Mon 31 May 2004 77,824 A..HR --- "C:\Documents and Settings\Miranda\Local Settings\Temp\hpbinsmg.dll"
    Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT3.tmp"

    Finished!
     
  16. ih8puters

    ih8puters New Member

    Messages:
    25
    I can't get combofix to run. I've followed the directions on the link provided exactly and I do not get the blue box.

    Here is the latest Hijackthis log. I must say my computer is running better already. Minus the popup ads

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:05, on 2008-06-17
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: targetedbanner browser optimizer - {605ce638-5c90-784e-e4e9-df9f4fc8b7f9} - C:\WINDOWS\system32\{c95a7f07-3e28-79a2-1747-96faf47f0e44}.dll
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file)
    O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll (file missing)
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [{ae452549-24f2-e1b4-220c-e7679ad1abb7}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{c95a7f07-3e28-79a2-1747-96faf47f0e44}.dll" DllStart
    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
    O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

    --
    End of file - 11811 bytes
     
  17. cohen

    cohen New Member

    Messages:
    8,364
    Download and Run ComboFix
    If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
    Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.
     
  18. ceewi1

    ceewi1 VIP Member

    Messages:
    5,426
    It's fixable but will be difficult. You have a rootkit which can interfere with ComboFix. I need you to download a new version, but rename it to something else which should avoid being stopped by the rootkit. I suggest you follow only my instructions in this thread.

    Please delete your copy of ComboFix, and download the latest version from here.


    NOTE: When you download ComboFix.exe, rename it like so:

    [​IMG]

    [​IMG]


    • Double-click Combo-Fix.exe, and follow the prompts.
    • When the tool is finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt along with a new HijackThis log.
     
  19. ih8puters

    ih8puters New Member

    Messages:
    25
    I redownloaded combofix and renamed the file when I saved it. I still can't get it to work
     
  20. cohen

    cohen New Member

    Messages:
    8,364
    Are you in "normal boot mode"?
     
Thread Status:
Not open for further replies.

Share This Page