Winh32.exe problem - Page 6

mjc · #**126** 10-16-2007, 12:57 AM

Yeah...that is a major concern.

At this point, anything that gets done (fix or wipe & reload) needs to be done with all new passwords and the other two machines on the network still need to be checked...

unicornsstorm · #**127** 10-16-2007, 08:15 AM

our computer did not come with any OS software or restore disks of any kind. any idea how I would go about a wipe and relode without? And, how would that affect my data? It's on a portable hard drive completely seperate from the OS but could the infection be burried in there someware?

Also, both of the other machines are scnning clean witht their respective av's and as's (but then so is this one) Should I post any logs on the other machines here or put them up as new topics???

Budfred · #**128** 10-16-2007, 09:38 AM

This seems to be a Dell, so you probably have the Windows on a hidden partition... If so, you can either make restore disks or order them from Dell...

However, I would hold off just a bit... Try this CFScript and see if it can tell us more about that pest, not to mention cleaning up some more of the trash... This will send files to the developer and other malware fighters to check out, so you will need to be online for this...

Quote:

Driver::
perfect_cleaner_header _small.gif
spy_away_header_small. gif
perfect_cleaner_box_sm all.jpg
perfect_cleaner_header .gif
FileLook::
C:\WINDOWS\system32\kdfvmgr.exe
C:\WINDOWS\system32\kdfmgr.exe
Catch::
C:\WINDOWS\system32\kdfvmgr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\WINDOWS\system32\kdfapi.dll
C:\WINDOWS\system32\Kdfhok.dll
C:\WINDOWS\system32\kdfinj.dll
Folder::
C:\WINDOWS\kdefense

Your data files are probably okay (it is good that they are on an external drive)... However, I would scan the hell out of them before trusting that...

You can post logs for the other computers here if we get this one clean... Otherwise, please start a new thread for each so it doesn't get too confusing...

unicornsstorm · #**129** 10-16-2007, 10:14 AM

It's a Sony Vaio. Here is the CF Log.

ComboFix 07-10-12.4 - comp 2007-10-16 9:05:20.28 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.673 [GMT -4:00]
Running from: C:\Documents and Settings\comp.VALUED-3253602F\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\comp.VALUED-3253602F\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\kdefense
C:\WINDOWS\kdefense\k52010.ico
C:\WINDOWS\kdefense\k52011.ico
C:\WINDOWS\kdefense\k52012.bmp
C:\WINDOWS\kdefense\KStartClean.ini

.
((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 01:13 849,920 --a------ C:\WINDOWS\system32\kdfinj.dll
2007-10-16 01:13 726,568 --a------ C:\WINDOWS\system32\kdfmgr.exe
2007-10-16 01:13 192,512 --a------ C:\WINDOWS\system32\kdfvmgr.exe
2007-10-16 01:13 77,824 --a------ C:\WINDOWS\system32\kdfapi.dll
2007-10-16 01:13 53,248 --a------ C:\WINDOWS\system32\Kdfhok.dll
2007-10-13 21:29 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\wsInspector
2007-10-13 21:06 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-10-13 20:42 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\Uniblue
2007-10-09 16:51 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 00:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-08 21:29 <DIR> d-------- C:\fsaua.data
2007-10-08 08:48 <DIR> d-------- C:\Documents and Settings\COMP~1~VAL\LOCALS~1
2007-10-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2007-10-04 21:37 <DIR> d-------- C:\WINDOWS\LocalSSL
2007-10-04 21:36 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-10-04 21:36 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-10-04 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-04 20:55 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\HouseCall 6.6
2007-10-04 20:55 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-04 14:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 02:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Grisoft
2007-10-01 02:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-30 17:20 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\AVG7
2007-09-30 07:25 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-09-30 07:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-30 07:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-18 02:31 1,126,328 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-18 02:31 333,328 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 02:31 203,024 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 02:31 65,936 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 02:31 36,112 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-16 05:15 --------- d-----w C:\Documents and Settings\Steve\Application Data\MailWasherPro
2007-10-14 10:51 --------- d-----w C:\Documents and Settings\Steve\Application Data\ContentGuard
2007-10-09 04:46 --------- d-----w C:\Documents and Settings\comp.VALUED-3253602F\Application Data\ATI
2007-10-09 01:31 --------- d-----w C:\Program Files\Java
2007-10-08 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 18:07 --------- d-----w C:\Program Files\Common Files\efax
2007-10-05 01:36 --------- d-----w C:\Program Files\Trend Micro
2007-10-05 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-09-24 00:20 --------- d-----w C:\Program Files\StorageSync
2007-09-17 01:12 --------- d-----w C:\Program Files\FlexiMusic Wave Editor
2007-09-12 15:17 --------- d-----w C:\Program Files\TurboTax
2007-09-10 22:36 --------- d-----w C:\Documents and Settings\comp.VALUED-3253602F\Application Data\U3
2007-09-04 11:57 --------- d-----w C:\Documents and Settings\Steve\Application Data\U3
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-17 19:13 --------- d-----w C:\Program Files\MTV Networks
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2004-11-05 16:00 457 -c--a-w C:\Program Files\INSTALL.LOG
2004-02-19 20:16 386,235 -c--a-w C:\Program Files\Printkey2000.zip
2001-05-08 12:54 797,443 -c--a-w C:\Program Files\Printkey2000.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))
.

---- C:\WINDOWS\system32\kdfmgr.exe ----

Company: Bluegem Security
File Description: LocalSSL R5 Manager
File Version: 5, 1, 8, 7
Product Name: LocalSSL Manager
Copyright: Copyright 2007 Bluegem Security
Original file name: kdfmgr.exe

---- C:\WINDOWS\system32\kdfvmgr.exe ----

Company: 1“æ…
File Description: KdfVMgr
File Version: 1, 0, 0, 1
Product Name: 1“æ… KdfVMgr
Copyright: Kings Information & Network
Original file name: KdfVMgr.exe

((((((((((((((((((((((((((((( snapshot@2007-10-15_ 9.15.59.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-09 23:51:35 457,248 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-15 18:12:18 457,248 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.

unicornsstorm · #**130** 10-16-2007, 10:14 AM

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll [2007-09-16 10:21 103760]

[HKEY_CLASSES_ROOT\CLSID\{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 20:32]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08]
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2004-07-19 16:12]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-09-01 21:37]
"KONICA MINOLTA magicolor 2400W STD"="C:\WINDOWS\system32\MSTMON_S.exe" [2004-09-27 20:00]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 03:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 03:07]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"ABBYY Community Agent"="C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe " [2001-01-31 11:32]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2006-01-12 17:40]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 06:01]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe" []
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 01:04]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 02:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-10-28 12:31]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\apache2triad.GAMBRELLDT\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\Elizabeth\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
Remocon Driver.lnk - C:\Program Files\sony\usbsircs\usbsircs.exe [2003-09-17 20:07:58]

C:\Documents and Settings\comp.VALUED-3253602F\Start Menu\Programs\Startup\
Printkey2000.exe [2001-05-08 08:54:50]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-06-06 03:08:17 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
"2004-01-18 13:56:57 C:\WINDOWS\Tasks\UPS System Shutdown Program.job"
.
************************************************** ************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 09:09:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-16 9:10:34
C:\ComboFix-quarantined-files.txt ... 2007-10-11 11:49
C:\ComboFix2.txt ... 2007-10-15 09:16
C:\ComboFix3.txt ... 2007-10-15 08:47
.
--- E O F ---

Budfred · #**131** 10-17-2007, 12:21 AM

Okay, one of the best malware fighters on the internet has looked at this and solved the problem... It turns out that Kdefense started loading when you activated it in TrendMicro, so it is legit... Apparently it is the Korean software that TrendMicro licenses from them for keylogger protection...

The only thing left then is these and it should be possible to simply delete them -- just go to that folder and delete the files:

C:\WINDOWS\system32\drivers\perfect_cleaner_header _small.gif
C:\WINDOWS\system32\drivers\spy_away_header_small. gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box_sm all.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_header .gif

You may need to set Windows to show hidden/system files to be able to see them if you haven't already done that...

Post one more HJT log and let me know how things are going... I think you may be clean!!

unicornsstorm · #**132** 10-17-2007, 11:20 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:53 AM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Documents and Settings\comp.VALUED-3253602F\Start Menu\Programs\Startup\Printkey2000.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\H SChkProxyExe.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [] (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1008 Startup: Remocon Driver.lnk = ? (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1008 User Startup: Remocon Driver.lnk = ? (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1014 Startup: VistaAccess.lnk = ? (User '?')
O4 - S-1-5-18 Startup: VistaAccess.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: VistaAccess.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: VistaAccess.lnk = ? (User 'Default user')
O4 - Startup: Printkey2000.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe

unicornsstorm · #**133** 10-17-2007, 11:21 AM

O8 - Extra context menu item: Add to AD Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://members.melaleuca.com
O15 - Trusted Zone: http://www.melaleuca.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} - http://www.sonypictures.com/charlies...Downloader.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 14869 bytes

Budfred · #**134** 10-17-2007, 10:44 PM

Your log looks mostly okay... I realized you had a Sony just after I logged off after posting that it was a Dell, but it works out the same... You either have a hidden partition or some other way to create Restore disks... I would ask them to send me actual disks, but you can simply create your own if you would prefer...

This is the Sony spyware I mentioned a while ago... I would not tolerate it my computer, but it is your choice to fix or not... If you wish to fix it,

Please open HijackThis again and choose "Do a system scan only". Please put a check next to the following entry:

O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

Now please close all open windows except HJT and press "Fix checked".

You can also delete this file:

c:\program files\support.com\client\bin\tgcmd.exe

Do you know what the Samsung updater is for??

How is your computer running?? Are you seeing any evidence of an infection?? If there is anything, please post a fresh ComboFix scan...

unicornsstorm · #**135** 10-18-2007, 08:25 AM

Samsung updater is trying to get me to update the firmware on our lightscrib DVD burner. The computer seems to be working great. we do have one minor issue, the Trend scan catches something every time I run it. I don't kow if that is just becasue it's so much better than AVG and Window's ONEcare or becasue we have a higher infection rate than ever before or if we have a seed somewhere on the machine still...

Other than that everything is running great and I don't see any indications of problems. The original issues with the background, task manager lock out and time format are all long gone.

Thank you for all your time and effort and I'll see you arround at the Boot Camp? I'll be posting HJT files for the other two computers here too jik.

Budfred · #**136** 10-18-2007, 09:28 AM

What is Trendmicro finding and how does it describe it?? It could mean a nested infection and we need to find it if that is the case...

Again, a fresh ComboFix log would be a good idea since you are still seeing signs... I want to make sure it is all clear before you go through and change all passwords on this machine or you may just need to do it again...

unicornsstorm · #**137** 10-18-2007, 09:21 PM

Mostly it's cookies that it keeps finding. Two that have shown up more than a few times are cookie_Tacoda and Cookie_Yeildmaster. Neither one is showing every day/ every scan so I think it's likely that I'm getting them while i'm online browsing but not sure of that.

Virus Scan Logs 17-Oct-07
Time Detected by Source Type Threat Name Infected File First Action
10:54 Manual Scan File TROJ_AGENT.ABPM C:\qoobox\Quarantine\C\WINDOWS\system32\9350.exe.v ir Quarantined Success
10:54 Manual Scan File TROJ_DELF.LEV C:\qoobox\Quarantine\C\WINDOWS\system32\SoUI.dll.v ir Quarantined Success
10:54 Manual Scan File TROJ_DLOADER.QVT C:\qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Quarantined Success

Spyware Scan Logs 16-Oct-07
Time Type Threat Name Infected File Name Action Status Detected by Source Type
12:27 Cookie_SpecificClick Internet Explorer Cache adopt.specificclick.net Quarantined Success Cookie_SpecificClick Manual Scan Bad Internet Browser Cookies
12:27 Cookie_YieldManager Internet Explorer Cache ad.yieldmanager.com Quarantined Success Cookie_YieldManager Manual Scan Bad Internet Browser Cookies
12:27 Cookie_ServingSys Internet Explorer Cache serving-sys.com Quarantined Success Cookie_ServingSys Manual Scan Bad Internet Browser Cookies
12:27 Cookie_SpecificClick Internet Explorer Cache specificclick.net Quarantined Success Cookie_SpecificClick Manual Scan Bad Internet Browser Cookies
12:27 Cookie_Profiling Internet Explorer Cache tribalfusion.com Quarantined Success Cookie_Profiling Manual Scan Bad Internet Browser Cookies

I'll post todays scan logs and the HJT shortly.

already started changing things. I hopw I don't have to start over.

Better know though eh.

Budfred · #**138** 10-18-2007, 10:20 PM

Those first files are from ComboFix... I was going to get to removing it if you came up clean and it looks like you probably are...

Open a Run window from the Start menu and paste or type in:

ComboFix /u

That will remove all remaining traces of ComboFix...

unicornsstorm · #**139** 10-19-2007, 10:54 AM

Here is one last CF log. Thank you again for all the time you have given to our problems.
ComboFix 07-10-19.1 - comp 2007-10-19 9:48:29.29 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.410 [GMT -4:00]
Running from: C:\Documents and Settings\comp.VALUED-3253602F\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-19 to 2007-10-19 )))))))))))))))))))))))))))))))
.

2007-10-16 09:18 <DIR> d-------- C:\WINDOWS\kdefense
2007-10-16 01:13 849,920 --a------ C:\WINDOWS\system32\kdfinj.dll
2007-10-16 01:13 726,568 --a------ C:\WINDOWS\system32\kdfmgr.exe
2007-10-16 01:13 192,512 --a------ C:\WINDOWS\system32\kdfvmgr.exe
2007-10-16 01:13 77,824 --a------ C:\WINDOWS\system32\kdfapi.dll
2007-10-16 01:13 53,248 --a------ C:\WINDOWS\system32\Kdfhok.dll
2007-10-13 21:29 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\wsInspector
2007-10-13 21:06 <DIR> d-------- C:\Program Files\Startup Inspector for Windows
2007-10-13 20:42 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\Uniblue
2007-10-09 16:51 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-09 00:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-08 21:29 <DIR> d-------- C:\fsaua.data
2007-10-08 08:48 <DIR> d-------- C:\Documents and Settings\COMP~1~VAL\LOCALS~1
2007-10-07 10:48 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sony Ericsson
2007-10-04 21:37 <DIR> d-------- C:\WINDOWS\LocalSSL
2007-10-04 21:36 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2007-10-04 21:36 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2007-10-04 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-10-04 20:55 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\HouseCall 6.6
2007-10-04 20:55 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-04 14:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 02:22 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Grisoft
2007-10-01 02:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-09-30 17:20 <DIR> d-------- C:\Documents and Settings\comp.VALUED-3253602F\Application Data\AVG7
2007-09-30 07:25 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\AVG7
2007-09-30 07:25 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-09-30 07:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-19 11:51 --------- d-----w C:\Documents and Settings\Steve\Application Data\MailWasherPro
2007-10-14 10:51 --------- d-----w C:\Documents and Settings\Steve\Application Data\ContentGuard
2007-10-09 04:46 --------- d-----w C:\Documents and Settings\comp.VALUED-3253602F\Application Data\ATI
2007-10-09 01:31 --------- d-----w C:\Program Files\Java
2007-10-08 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-06 18:07 --------- d-----w C:\Program Files\Common Files\efax
2007-10-05 01:36 --------- d-----w C:\Program Files\Trend Micro
2007-10-05 01:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-09-24 00:20 --------- d-----w C:\Program Files\StorageSync
2007-09-18 06:31 65,936 ----a-w C:\WINDOWS\system32\drivers\tmtdi.sys
2007-09-18 06:31 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-18 06:31 333,328 ----a-w C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-09-18 06:31 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-18 06:31 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2007-09-17 01:12 --------- d-----w C:\Program Files\FlexiMusic Wave Editor
2007-09-12 15:17 --------- d-----w C:\Program Files\TurboTax
2007-09-10 22:36 --------- d-----w C:\Documents and Settings\comp.VALUED-3253602F\Application Data\U3
2007-09-04 11:57 --------- d-----w C:\Documents and Settings\Steve\Application Data\U3
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 -c--a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 -c--a-w C:\WINDOWS\system32\wups.dll
2004-11-05 16:00 457 -c--a-w C:\Program Files\INSTALL.LOG
2004-02-19 20:16 386,235 -c--a-w C:\Program Files\Printkey2000.zip
2001-05-08 12:54 797,443 -c--a-w C:\Program Files\Printkey2000.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-15_ 9.15.59.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-09 23:51:35 457,248 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2007-10-15 18:12:18 457,248 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}"= C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll [2007-09-16 10:21 103760]

[HKEY_CLASSES_ROOT\CLSID\{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 01:08]
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2004-07-19 16:12]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"KONICA MINOLTA magicolor 2400W STD"="C:\WINDOWS\system32\MSTMON_S.exe" [2004-09-27 20:00]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-04-07 03:19]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 03:07]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2006-01-12 17:40]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 06:01]
"Name of App"="C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe" []
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2006-11-01 01:04]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 02:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2006-10-28 12:31]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\apache2triad.GAMBRELLDT\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\Elizabeth\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

C:\Documents and Settings\comp.VALUED-3253602F\Start Menu\Programs\Startup\
Printkey2000.exe [2001-05-08 08:54:50]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
Remocon Driver.lnk - C:\Program Files\sony\usbsircs\usbsircs.exe [2003-09-17 20:07:58]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
VistaAccess.lnk - C:\VstaScan\VsAccess.exe [2004-01-03 21:03:47]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-06-06 03:08:17 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job"
"2004-01-18 13:56:57 C:\WINDOWS\Tasks\UPS System Shutdown Program.job"
.
************************************************** ************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 09:51:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-19 9:53:11
C:\ComboFix-quarantined-files.txt ... 2007-10-11 11:49
C:\ComboFix2.txt ... 2007-10-16 09:10
C:\ComboFix3.txt ... 2007-10-15 09:16
.
--- E O F ---

unicornsstorm · #**140** 10-19-2007, 10:57 AM

final HJT? I hope.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:34 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SPRINT~1.0OF\Sprint\CAgent.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Documents and Settings\comp.VALUED-3253602F\Start Menu\Programs\Startup\Printkey2000.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\H SChkProxyExe.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [] (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1008 Startup: Remocon Driver.lnk = ? (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1008 User Startup: Remocon Driver.lnk = ? (User 'Steve')
O4 - S-1-5-18 Startup: VistaAccess.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: VistaAccess.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: VistaAccess.lnk = ? (User 'Default user')
O4 - Startup: Printkey2000.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: Add to AD Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Budfred · #**141** 10-19-2007, 10:04 PM

Did you know that you didn't post the whole HJT log??

Please use Notepad to check the contents of this file:

C:\Program Files\INSTALL.LOG

It would be a good idea to install the latest Java now:

Updating Java:

Download and install the newest version from here:
- http://java.sun.com/javase/downloads/index.jsp

And since it is likely you are clean:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :thumbup:

Please navigate to http://windowsupdate.microsoft.com and download all the "Critical Updates" for Windows. These will patch many of the security holes through which attackers can gain access to your computer. Your current versions appear to be outdated.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

unicornsstorm · #**142** 10-22-2007, 11:05 AM

THanks for all the advice, but most all of it was in place when I got the infections... I've always had auto updates on for Windows, spybot and AVG... all of which were up and running when this started... I did have one hole, my Windows onecare had a firewall and when it expired last month I didn't think about that part of the security when we went back to free alternatives so I did have one gaping hole.

I was conserned though about the indication that my windows updates were out of date... as I said, I've always had the mset to auto update and when I checked just now I'm told there are no new updates available. Am I missing something?

I've been using Maxthon but I'm going to check out firefox now and will probably switch to that.

Thank you again..
Linda

JIC here is one last HJT file , complete

unicornsstorm · #**143** 10-22-2007, 11:05 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:42 AM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\sony\giga pocket\shwserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\giga pocket\RM_SV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Documents and Settings\comp.VALUED-3253602F\Start Menu\Programs\Startup\Printkey2000.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
L:\My Documents\My Download Files\computer tools\Internet tools\Firefox Setup 2.0.0.8.exe
C:\DOCUME~1\COMP~1.VAL\LOCALS~1\Temp\7zS13.tmp\set up.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.d ll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\system32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [] (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (User 'Steve')
O4 - HKUS\S-1-5-21-2554091808-13519833-1650968600-1008\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1008 Startup: Remocon Driver.lnk = ? (User 'Steve')
O4 - S-1-5-21-2554091808-13519833-1650968600-1008 User Startup: Remocon Driver.lnk = ? (User 'Steve')
O4 - S-1-5-18 Startup: VistaAccess.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: VistaAccess.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: VistaAccess.lnk = ? (User 'Default user')
O4 - Startup: Printkey2000.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
O8 - Extra context menu item: Add to AD Hunter - C:\Program Files\Maxthon\config/blacklist.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

unicornsstorm · #**144** 10-22-2007, 11:06 AM

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://members.melaleuca.com
O15 - Trusted Zone: http://www.melaleuca.com
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} - http://www.sonypictures.com/charlies...Downloader.cab
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_inst...syInstallX.CAB
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Giga Pocket Hardware Detector - Sony Corporation - C:\Program Files\sony\giga pocket\shwserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\giga pocket\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\giga pocket\RM_SV.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 15313 bytes

Budfred · #**145** 10-22-2007, 08:51 PM

Quote:

Originally Posted by unicornsstorm

THanks for all the advice, but most all of it was in place when I got the infections... I've always had auto updates on for Windows, spybot and AVG... all of which were up and running when this started... I did have one hole, my Windows onecare had a firewall and when it expired last month I didn't think about that part of the security when we went back to free alternatives so I did have one gaping hole.

I was conserned though about the indication that my windows updates were out of date... as I said, I've always had the mset to auto update and when I checked just now I'm told there are no new updates available. Am I missing something?

I've been using Maxthon but I'm going to check out firefox now and will probably switch to that.

Thank you again..
Linda

JIC here is one last HJT file , complete

That is a standard prevention speech I give people and is not customized for your situation... However, you had a number of security holes and your computer was massively infected, so I suggest you read the article I linked to for more ideas...

Your log looks okay at this point... Did you check that file I asked you to look in??

DellCA · #**146** 10-24-2007, 12:27 PM

Quote:

Originally Posted by unicornsstorm

our computer did not come with any OS software or restore disks of any kind. any idea how I would go about a wipe and relode without? And, how would that affect my data? It's on a portable hard drive completely seperate from the OS but could the infection be burried in there someware?

Also, both of the other machines are scnning clean witht their respective av's and as's (but then so is this one) Should I post any logs on the other machines here or put them up as new topics???

If your Dell did not ship with an OS reinstallation CD (a Dell branded Windows disk, not an image) then your computer most likely has a reinstallation (PC Restore) partition on the hard drive. You can run this, assuming it is still there and intact, by pressing CTRL+F11 at the Dell splash screen just after powering on the computer.

Another option is contacting Dell tech support (or myself) to have the appropriate reinstallation CDs (OS and drivers) sent out to you, at no cost to you.

If you have any questions on this I'll be happy to answer them.

Larry
Dell Customer Advocate

Budfred · #**147** 10-24-2007, 11:20 PM

DellCA...

If you looked a little closer, you would see that unicornsstorm has a Sony, so Dell support is not likely to be helpful...

You may have been asked this before... Are you here officially from Dell or is this an effort you are doing on your own... If it is the latter, I suggest you specify that... If you are official, please provide a means for us to independently verify that...

DellCA · #**148** 10-25-2007, 02:53 PM

Humorously enough, I saw your post about "this looks like a Dell" and failed to check closer. Sorry for any confusion that may have caused. This just goes to show that when dealing with computers you should always double check info.

Since it is a Sony, and I am not personally familiar with them, I don't know whether there is an image on the hard drive or not. Contacting Sony tech support, however, is probably the best and easiest way to get at least a reinstallation CD. The drivers can be downloaded from the Sony support website (http://esupport.sony.com/US/perl/sel...ER&PRODTYPE=24).

Yes, I am an actual Dell representative working out of Dell headquarters in Texas. My team goes out and looks for people posting about Dell so we can answer questions and generally provide help when and where we can. The team has been working for almost 18 months now doing this so there are a number of references to us on the internet (a Google search for "Dell Customer Advocate" will turn up quite a bit, for example). And official Dell page with info about is can be read/watched here (the direc2dell.com blog site), and I am sitting front row on the left in the video.

Larry
Dell Customer Advocate

Ajmukon · #**149** 10-25-2007, 05:05 PM

since yo gave a link directly to your website,
i will post a link to the link from DELLS official page to your site:
http://search.dell.com/results.aspx?...False&~ck=asrc

yep, DellCA is a Dell representative..
which, i am happy to have on this board! (now all we need is a HP tech guy and a Red hat support guy..)

Budfred · #**150** 10-25-2007, 10:39 PM

Ajmukon,

I am not sure how you are sure this person is who he says he is... Anyone aware of the Dell blog about this program can say he/she is from the program... Simply saying you are one of them and indicating you are a particular person in a video is not verification...

DellCA,

I suggest that if you are from Dell, that you work out a way to actually verify your members so that you can resolve the trust issues... I have seen scams in many forms and do not trust simply because someone provides this kind of evidence... Have you looked at any phish lately?? Some look impressively realistic, but they are still out to rip you off... I have not seen evidence that you are doing anything like that here, but as soon as someone sends you an email, that potential exists... From what I can see, you are probably legit and I applaud the effort on Dell's part if you are...

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)