Follow us on Twitter!
Capitalism is an Island of wealth in a sea of poverty
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 42
Guests Online: 37
Members Online: 5

Registered Members: 82839
Newest Member: fezphantom
Latest Articles
View Thread

HellBound Hackers | Computer General | Trouble Shooting

Author

Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 02:32
http://www.techspot.com/vb/showthread.php?p=587627&posted=1#post587627

That's the forum about the issue, it has everything I've tried so far. I am about to go home and get my livecd (it's a friend's computer) to rm a few files that I can't touch whilst in XP.

If you can read the logs I posted there ^^ and help me out it would be great. I do not want to reinstall; I remember zephyr or korg saying that is NEVER a resort, and I quite agree... However, this has taken a lot of my time, it's getting annoying, and the only thing I"ve gotten out of it so far is a free meal Grin

(a very good meal, however ^_^ )

So, if you can help, thanks!


Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 08-03-08 03:07
@thors should have come here first buddy. Redo the hjt and combofix files and post them here or pm me. You can't view your files on techspot and I will not join that site. Won't get into that now. (noobs). Let me know.


i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.
O R
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 03:52
ok well i had to go back to my house but i'm trying to work with her over msn/phone. I'll get you the HJT and ComboFix logs asap


Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 04:02
ComboFix 08-03-05.1 - Jenny3.0 2008-03-07 9:37:38.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.558 [GMT -6:00]
Running from: C:\Documents and Settings\Jenny3.0\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM0b8e15f7.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\kvbqpbhw.dll
C:\WINDOWS\system32\kvsphoco.ini
C:\WINDOWS\system32\lspqrdrq.dll
C:\WINDOWS\system32\mpcuaifp.dll
C:\WINDOWS\system32\nnfjmdgk.dll
C:\WINDOWS\system32\ocohpsvk.dll
C:\WINDOWS\system32\poowqsbw.dll
C:\WINDOWS\system32\ssqnnnk.dll
C:\WINDOWS\system32\twfuklut.dll
C:\WINDOWS\system32\vpmoofho.dll
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\whbpqbvk.ini
C:\WINDOWS\system32\wswiuoph.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 09:30 . 2008-03-07 09:30 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\MailFrontier
2008-03-07 09:24 . 2008-03-07 09:47 213,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-07 09:24 . 2008-03-07 09:44 3,860 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-07 08:20 . 2008-03-07 08:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-03-07 08:20 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-03-07 08:20 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-03-07 08:20 . 2008-03-07 09:46 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-07 08:19 . 2008-03-07 08:19 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-07 08:18 . 2008-03-07 09:30 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-06 16:31 . 2008-03-06 16:34 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-03-06 10:29 . 2008-03-06 10:29 1,308,018 ---hs---- C:\WINDOWS\system32\tbnvonyb.ini
2008-03-06 09:31 . 2008-03-07 07:23 0 --a------ C:\adware.exe
2008-03-05 18:35 . 2008-03-05 18:35 <DIR> d-------- C:\Deckard
2008-03-05 17:51 . 2008-03-05 17:51 <DIR> d-------- C:\VundoFix Backups
2008-03-05 17:37 . 2008-03-05 17:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-05 17:37 . 2008-03-06 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-05 17:34 . 2008-03-05 17:34 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\Grisoft
2008-03-05 17:22 . 2008-03-05 17:22 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-05 17:22 . 2008-03-05 17:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-05 17:19 . 2008-03-05 17:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-05 17:05 . 2008-03-05 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-05 17:05 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-05 16:55 . 2008-03-05 16:55 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\Sonic
2008-03-05 16:55 . 2008-03-05 16:55 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\Leadertech
2008-03-04 22:23 . 2008-03-04 22:23 1,302,838 ---hs---- C:\WINDOWS\system32\dwjfoaxm.ini
2008-03-04 21:32 . 2008-03-04 21:37 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-04 21:32 . 2008-03-04 21:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-04 21:32 . 2008-03-04 21:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-04 21:32 . 2008-03-04 21:35 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-04 21:15 . 2007-10-10 17:55 193,024 --a------ C:\WINDOWS\system32\SET266.tmp
2008-03-04 21:00 . 2008-03-04 21:00 1,302,838 ---hs---- C:\WINDOWS\system32\ensecyjs.ini
2008-03-04 19:54 . 2007-10-10 17:56 1,159,680 --a------ C:\WINDOWS\system32\SET262.tmp
2008-03-04 19:54 . 2007-10-10 17:56 824,832 --a------ C:\WINDOWS\system32\SET260.tmp
2008-03-04 19:54 . 2007-10-10 17:55 105,984 --a------ C:\WINDOWS\system32\SET263.tmp
2008-03-04 19:52 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-04 19:43 . 2008-03-04 19:43 <DIR> d-------- C:\ea7a20db18229096467479
2008-03-04 19:26 . 2008-03-04 19:26 1,302,838 ---hs---- C:\WINDOWS\system32\ujkohjwa.ini
2008-03-04 19:17 . 2008-03-04 19:17 41,984 --a------ C:\WINDOWS\system32\efcbbaw.dll.vir
2008-03-04 17:54 . 2008-03-06 16:21 <DIR> d-------- C:\Program Files\EliteSwitch
2008-03-03 21:32 . 2008-03-03 21:32 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\SUPERAntiSpyware.com
2008-03-03 21:04 . 2008-03-07 09:31 <DIR> d-------- C:\Documents and Settings\Jenny3.0\amsn
2008-03-03 20:41 . 2008-03-03 20:41 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\Talkback
2008-03-03 20:31 . 2004-11-23 14:18 <DIR> d-------- C:\Documents and Settings\Jenny3.0\Application Data\Sony Corporation
2008-03-03 19:51 . 2008-03-06 16:29 <DIR> d-------- C:\Program Files\Java
2008-03-03 19:51 . 2008-03-03 19:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-02 16:14 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-02 15:54 . 2008-03-02 15:54 32,764 --a------ C:\WINDOWS\17PHolmes1535.exe
2008-03-02 13:42 . 2008-03-02 13:42 <DIR> d-------- C:\Program Files\ESET
2008-03-02 13:10 . 2008-03-02 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-02-28 16:07 . 2008-03-06 16:24 49,167 -r-hs---- C:\WINDOWS\live.messenger.com
2008-02-27 20:31 . 2008-02-27 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SwiftKit
2008-02-26 22:03 . 2008-02-26 22:03 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-24 14:36 . 2008-02-24 21:20 724,992 ---hs---- C:\WINDOWS\system32\svc.exe
2008-02-11 22:10 . 2008-02-28 16:13 <DIR> d-------- C:\Program Files\aMSN
2008-02-08 17:51 . 2008-02-08 17:51 <DIR> d-------- C:\Program Files\Alwil Software
2008-02-07 22:09 . 2008-02-07 22:08 846,848 -r-hs---- C:\WINDOWS\wkssvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-06 04:29 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-03-05 23:43 4,686 ----a-w C:\WINDOWS\system32\tmp.reg
2008-03-05 23:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-05 21:40 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-02 05:12 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-28 02:51 --------- d-----w C:\Program Files\SwiftSwitch
2008-02-17 16:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 02:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2
2007-12-14 17:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 124,928 ----a-w C:\WINDOWS\system32\advpack(2).dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_18.30.59.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-06 22:34:52 98,678 ----a-w C:\WINDOWS\.jagex_cache_32\loginapplet\cache-1965029828.dat
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\system32\drivers\klif.sys
- 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 07:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 07:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 08:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-11-14 22:04:46 796,048 ----a-w C:\WINDOWS\system32\libeay32_0.9.6l.dll
+ 2007-11-14 22:04:52 83,432 ----a-w C:\WINDOWS\system32\vsdata.dll
+ 2007-11-14 22:05:16 394,952 ----a-w C:\WINDOWS\system32\vsdatant.sys
+ 2007-11-14 22:04:52 157,160 ----a-w C:\WINDOWS\system32\vsinit.dll
+ 2007-11-14 22:04:52 103,912 ----a-w C:\WINDOWS\system32\vsmonapi.dll
+ 2007-11-14 22:04:52 275,944 ----a-w C:\WINDOWS\system32\vspubapi.dll
+ 2007-11-14 22:04:52 71,144 ----a-w C:\WINDOWS\system32\vsregexp.dll
+ 2007-11-14 22:04:54 472,552 ----a-w C:\WINDOWS\system32\vsutil.dll
+ 2007-11-14 22:04:54 46,568 ----a-w C:\WINDOWS\system32\vswmi.dll
+ 2007-11-14 22:04:54 99,816 ----a-w C:\WINDOWS\system32\vsxml.dll
+ 2007-11-14 22:04:56 83,432 ----a-w C:\WINDOWS\system32\zlcomm.dll
+ 2007-11-14 22:04:56 71,144 ----a-w C:\WINDOWS\system32\zlcommdb.dll
+ 2007-11-14 22:04:44 370,208 ----a-w C:\WINDOWS\system32\ZoneLabs\av.dll
+ 2007-05-31 06:03:30 65,248 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\aphish.dat
+ 2006-06-30 20:47:36 21,568 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\avcmhk4.dll
+ 2008-03-07 15:45:56 23,324 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-05-31 06:03:16 77,824 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHComm.dll
+ 2007-05-31 06:03:16 110,592 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHrule.dll
+ 2007-05-31 06:03:16 331,776 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\CKAHUM.dll
+ 2007-05-31 06:03:16 38,400 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\FSSync.dll
+ 2007-07-19 21:10:32 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\kl1.sys
+ 2007-07-19 21:10:32 186,128 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\w2kxp32\klif.sys
+ 2007-05-31 06:03:48 110,360 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\kl1.sys
+ 2007-07-19 21:10:28 127,768 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\klif.sys
+ 2007-05-31 06:03:50 45,056 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\instdrivers\x32\regcat.exe
+ 2006-09-20 05:12:14 208,960 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\inv.dll
+ 2007-09-12 03:09:16 274,432 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\kave.dll
+ 2006-12-20 00:13:52 1,093,632 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\libeay32.dll
+ 2007-05-31 06:03:20 548,864 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcp80.dll
+ 2007-05-31 06:03:20 626,688 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\msvcr80.dll
+ 2007-05-31 06:03:18 184,320 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prloader.dll
+ 2007-05-31 06:03:22 90,112 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\prremote.dll
+ 2007-09-12 03:09:16 135,168 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
+ 2006-12-20 00:13:52 200,704 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\ssleay32.dll
+ 2007-11-14 22:04:44 99,816 ----a-w C:\WINDOWS\system32\ZoneLabs\camupd.dll
+ 2004-01-30 18:35:08 813,568 ----a-w C:\WINDOWS\system32\ZoneLabs\dbghelp.dll
+ 2007-11-14 22:04:46 128,480 ----a-w C:\WINDOWS\system32\ZoneLabs\fbl.dll
+ 2007-11-14 22:04:46 38,376 ----a-w C:\WINDOWS\system32\ZoneLabs\featuremap.dll
+ 2007-11-14 22:04:46 321,016 ----a-w C:\WINDOWS\system32\ZoneLabs\imsecure.dll
+ 2007-11-14 22:05:18 288,144 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2007-11-14 22:05:18 152,976 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\licenseui.zip.dll
+ 2007-11-14 22:05:18 26,000 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
+ 2007-11-14 22:05:18 1,361,296 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
+ 2007-11-14 22:05:20 71,056 ----a-w C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
+ 2007-11-14 22:06:34 30,184 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\rpc_server\rpc_server.dll
+ 2007-11-14 22:06:36 30,216 ----a-w C:\WINDOWS\system32\ZoneLabs\plugins\vsmon_plugin\vsmon_plugin.dll
+ 2007-10-19 02:18:38 714,208 ----a-w C:\WINDOWS\system32\ZoneLabs\qrbase.dll
+ 2007-10-19 02:18:38 787,936 ----a-w C:\WINDOWS\system32\ZoneLabs\qrsrecl.dll
+ 2007-11-14 22:04:48 173,544 ----a-w C:\WINDOWS\system32\ZoneLabs\scheduler.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
+ 2007-10-19 02:18:40 1,500,640 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.dll
+ 2007-10-19 02:18:44 51,176 ----a-w C:\WINDOWS\system32\ZoneLabs\srescan.sys
+ 2007-11-14 22:04:50 456,168 ----a-w C:\WINDOWS\system32\ZoneLabs\ssleay32.dll
+ 2007-11-14 22:06:36 214,528 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\httpblocker\httpblocker.dll
+ 2007-11-14 22:06:36 3,266,040 ----a-w C:\WINDOWS\system32\ZoneLabs\streamapi\imslsp\imslsp.dll
+ 2006-09-05 02:59:14 503,875 ----a-w C:\WINDOWS\system32\ZoneLabs\upd_core.dll
+ 2007-10-11 22:50:32 832,984 ----a-w C:\WINDOWS\system32\ZoneLabs\updating.dll
+ 2007-11-14 22:05:06 144,936 ----a-w C:\WINDOWS\system32\ZoneLabs\updclient.exe
+ 2007-01-11 23:31:06 286,787 ----a-w C:\WINDOWS\system32\ZoneLabs\updtrsdk.dll
+ 2007-11-14 22:04:52 108,008 ----a-w C:\WINDOWS\system32\ZoneLabs\vsavpro.dll
+ 2007-11-14 22:04:52 83,432 ----a-w C:\WINDOWS\system32\ZoneLabs\vsdb.dll
+ 2007-11-14 22:05:06 75,304 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmon.exe
+ 2007-11-14 22:04:52 2,029,032 ----a-w C:\WINDOWS\system32\ZoneLabs\vsmondll.dll
+ 2007-11-14 22:04:54 1,361,384 ----a-w C:\WINDOWS\system32\ZoneLabs\vsruledb.dll
+ 2007-11-14 22:04:54 239,080 ----a-w C:\WINDOWS\system32\ZoneLabs\vsvault.dll
+ 2007-01-11 17:12:08 2,432,259 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
+ 2007-11-14 22:04:56 177,640 ----a-w C:\WINDOWS\system32\ZoneLabs\zlparser.dll
+ 2007-11-14 22:04:56 79,344 ----a-w C:\WINDOWS\system32\ZoneLabs\zlquarantine.dll
+ 2007-11-14 22:04:58 382,440 ----a-w C:\WINDOWS\system32\ZoneLabs\zlsre.dll
+ 2007-11-14 22:04:58 120,296 ----a-w C:\WINDOWS\system32\ZoneLabs\zlupdate.dll
+ 2007-11-14 22:05:00 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{22342B44-5B98-4B30-9D53-C182AD8DF217}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93747BC3-6702-4137-8E3A-19C2CFEFAE3B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA5869D6-AA4A-49A5-8478-A78FF653C996}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c19a84c5-bf36-4527-b833-b33f8eb9fd9b}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Tucan"="G:\Tuneup\virtumonde\AntiRootkit\PAVARK.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="C:\WINDOWS\ATK0100\Hcontrol.exe" [2004-07-19 15:05 61440]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 18:21 114688]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-06 23:10 344064]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2004-10-21 21:12 184320]
"Switcher.exe"="C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2004-10-26 00:20 167936]
"ISBMgr.exe"="C:\Program Files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 16:12 32768]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-09-21 20:54 151552]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 23:08 28672]
"VMConsole.exe"="C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe" [2004-06-23 21:37 557056]
"F-StopW"="C:\Program Files\FSI\F-Prot\F-StopW.EXE" [2003-06-11 16:10 290816]
"FRISK FP-Scheduler"="C:\Program Files\FSI\F-Prot\F-Sched.exe" [2003-04-07 10:47 323584]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-08 16:13 1410304]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MSN Messenger"="live.messenger.com" [2008-03-06 16:24 49167 C:\WINDOWS\live.messenger.com]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqnnnk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2004-10-27 17:40 73728 C:\WINDOWS\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\aMSN\\bin\\wish.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\SwiftSwitch\\EliteSwitch.exe"=
"C:\\Program Files\\EliteSwitch\\EliteSwitch\\EliteSwitch.exe"=

R0 FPA_RTP;FPA_RTP;C:\WINDOWS\system32\Drivers\FSTOPW.SYS [2003-06-11 16:09]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-08 16:17]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2002-08-20 13:59]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-16 00:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - wscript go.vbs

.
Contents of the 'Scheduled Tasks' folder
"2005-10-31 18:46:45 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-10-31 18:46:46 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-10-31 18:46:46 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 09:46:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2008-03-07 9:49:45 - machine was rebooted [Jenny3.0]
ComboFix-quarantined-files.txt 2008-03-07 15:49:34
ComboFix2.txt 2008-03-06 00:32:53
.
2008-03-05 05:41:00 --- E O F ---



Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 04:04
I know there are some baddies in 'Valued Customer' in docs and setts. I'm pretty sure it's called eraseme.exe, or something very similar. I could not boot into gentoo from a cd, it failed during the boot process... first time ever, i dunno why but not important now. That dir is unaccessable, valued customer is not a user, and admin can't get into it. Also says it's empty, but i know it contains something. I'm trying to get you the HJT now


Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 04:07
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:35, on 2008-03-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\aMSN\bin\wish.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Firefox\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\ssqnnnk.dll
O2 - BHO: (no name) - {4FECE18E-B9C2-44B0-A974-FE810B3F319C} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {93747BC3-6702-4137-8E3A-19C2CFEFAE3B} - (no file)
O2 - BHO: (no name) - {AA5869D6-AA4A-49A5-8478-A78FF653C996} - (no file)
O2 - BHO: (no name) - {c19a84c5-bf36-4527-b833-b33f8eb9fd9b} - (no file)
O2 - BHO: {e14570f3-a653-e55b-7ea4-c6b428d2aa8e} - {e8aa2d82-4b6c-4ae7-b55e-356a3f07541e} - C:\WINDOWS\system32\mpcuaifp.dll
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [VMConsole.exe] C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe /windowmin
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM0b8e15f7] Rundll32.exe "C:\WINDOWS\system32\twfuklut.dll",s
O4 - HKLM\..\RunServices: [MSN Messenger] live.messenger.com
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Tucan] "G:\Tuneup\virtumonde\AntiRootkit\PAVARK.exe" /Monitor
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143580234718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqnnnk - C:\WINDOWS\SYSTEM32\ssqnnnk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 12702 bytes



Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 08-03-08 12:34
Ok then, I'll look these over and post back later, Got to go to work now, Lot's to do today.


i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.
O R
Author

RE: Re: Infected Lappy


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 13:06
Ok, so for those of us who are marginally anti-techspot, what exactly is the prob?
Won't boot?
Not even into safe mode?
What version and SP XP are u running?

Now reinstallation may not always be your first choice but if its that bad you may have to format and do a clean install. You may be able to repair it enough to burn your docs and pics to disc before hand though.

Have u had a Geeba.exe ageeb.exe or similar (vundofix?) as when i got one i had to reinstall at the end after tinkering for about 48 hours solid.
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 13:06
Reinstall xp. Just glancing over all of this has given me a headache.


Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 17:35
whoever said reinstall xp, please leave this thread.
NEVER give up; NEVER reinstall (unless you've got bad hdd sectors, a nonexistent registry, and the only option is reformatting... but that's another story)

XP Pro SP2 (build 2600 i think)
viao laptop at 1.86GHz, 1024MB ram, boots fine, runs fine

The problems we've had so far involve simply high cpu overhead from the virus/virii and a problem with her MSN account with randomly sendin gviral messages.

Her father wanted to give the lappy to her uncle to just reinstall windows. Reinstalling is NOT an option because it would take ages to get everything reinstalled, and there is a program (F-prot antivirus) that her dad does NOT want to get rid of... never heard of it and i trust NOD32 better, tbh.

Thanks korg, as usual you're willing to help and that means a lot to me. Thanks for your time.

[edit] I have run vundofix and combofix, but whatever there is on her computer keeps repairing itself at boot. If anyone knows a version of nix on LiveCD that has built-in NTFS support, that would be great.




Edited by on 08-03-08 17:51
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME

SET
Member

Your avatar

Posts: 380
Location: 0
Joined: 22.02.07
Rank:
Moderate
Posted on 08-03-08 17:51
If CPU is getting high then tell me what the process is that is killing ur CPU...To do this goto Task Manager, Processes, CPU, tell me which is at a very high CPU usage Other then system Idle Process. Then go to google type in the process see what comes up.


arcset.com/imgs/Comp 1_4.gif
ARCSET.com
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 18:12
umm... umm... i knwo how to use taskman, dont talk to me like i'm stupid please. Whatever it is does not show up in taskman, and it's not always high, but the computer definately is much slower than it should be and occasionally there are periods of unnaturally high cpu overhead 9roughly 10% without anything running, and its not just windows. The most logical solution is that there are hidden processes; we all know taskman doesn't show everything :\


Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME

SET
Member

Your avatar

Posts: 380
Location: 0
Joined: 22.02.07
Rank:
Moderate
Posted on 08-03-08 18:22
Look u ungrateful ass i was trying to help. So get off u high horse. i will treat you like a freaking idiot all day long.

There is away to show hidden processes. But you to much of a ass for me to tell u. Fix your own Freaking problem


arcset.com/imgs/Comp 1_4.gif
ARCSET.com
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 08-03-08 19:43
I'm sorry I offended you; I meant no harm. However, if you insist, treat me how you will; I meant no offense. I was in no way trying to be ungrateful. I simply assumed that others would assume that I had already looked for that; I've obviously tried various things to figure out exactly what the problem is, and it is just logical that I would have searched for offending processes. If you have nothing constructive to say, please don't waste your time. Thanks.


Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 09-03-08 01:45
Ok Thors, Heres what we do, Download Brute Force Uninstaller as we might need it. Also get VundoFix 7.00 if you don't have it yet.
Boot that baby up in safe mode and delete these files:(If they won't delete use the bruteforcer)
These are common files I have for this virus, Some may not be there.

C:\WINDOWS\winlogin.exe (NOT winlogon which is part of windows)
C:\WINDOWS\drone.exe
C:\WINDOWS\a.exe
C:\WINDOWS\i.sys
C:\WINDOWS\rofl.sys
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\eraseme.exe or any eraseme file (ex:eraseme_25887.exe)
C:\WINDOWS\BM0b8e15f7.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\kvbqpbhw.dll
C:\WINDOWS\system32\kvsphoco.ini
C:\WINDOWS\system32\lspqrdrq.dll
C:\WINDOWS\system32\mpcuaifp.dll
C:\WINDOWS\system32\nnfjmdgk.dll
C:\WINDOWS\system32\ocohpsvk.dll
C:\WINDOWS\system32\poowqsbw.dll
C:\WINDOWS\system32\ssqnnnk.dll
C:\WINDOWS\system32\twfuklut.dll
C:\WINDOWS\system32\vpmoofho.dll
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\whbpqbvk.ini
C:\WINDOWS\system32\wswiuoph.dll
C:WINDOWS\system32\winwil32.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\efcbbaw.dll.vir
C:\WINDOWS\system32\svc.exe
C:\WINDOWS\system32\ujkohjwa.ini
C:\WINDOWS\system32\mpcuaifp.dll
C:\WINDOWS\system32\eraseme.exe (same as above)


Delete these registry entries:

BHO: (no name) - {22342B44-5B98-4B30-9D53-C182AD8DF217} - C:\WINDOWS\system32\ssqnnnk.dll
BHO: (no name) - {4FECE18E-B9C2-44B0-A974-FE810B3F319C} - C:\WINDOWS\system32\awvvv.dll
BHO: (no name) - {93747BC3-6702-4137-8E3A-19C2CFEFAE3B}
BHO: (no name) - {AA5869D6-AA4A-49A5-8478-A78FF653C996}
BHO: (no name) - {c19a84c5-bf36-4527-b833-b33f8eb9fd9b} - (no file)
O2 - BHO: {e14570f3-a653-e55b-7ea4-c6b428d2aa8e} - {e8aa2d82-4b6c-4ae7-b55e-356a3f07541e} - C:\WINDOWS\system32\mpcuaifp.dll
O4 - HKLM\..\Run: [BM0b8e15f7] Rundll32.exe "C:\WINDOWS\system32\twfuklut.dll",s

Reboot in SAFE MODE then run VundoFix, and combo fix. In that order. redoe your hjt list if you still have a problem.
This one is a bitch to get rid of so be patient it might take a couple tries.

PS: Sorry it took so long to post back. We are having the worst snowstorm I've seen in a while. Couldn't even leave work till the plows came. <FUCK>





i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.

Edited by korg on 09-03-08 01:47
O R
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 09-03-08 04:03
ah, you were right, i should have come here first. Her dad gave the lappy to her uncle to reformat today; she called me a while back. I've been working on this bitch for about a week and I guess he finally got a bit impatient. The biggest problem with that is that she'll probably only have a limited account now, but we might can solve that if we ever get physical access to the lappy when parents aren't at home.

Though, she said something about it being about time to buy her own... i can help out with that Grin

Thanks anyway, mate. By the way, any specific sites you know where I can read up on some of these virii? I just google whatever a scanner comes up with, but if you know any databases I can read through periodically it would be pretty cool.

Thanks so much for your trouble. BTW, we got about .00001" of snow here Grin didnt stick at all.




Edited by on 09-03-08 04:05
Author

RE: Badly infected lappy, Winxp, dont want to reinstall. HELP ME

korg
Admin from hell



Posts: 2798
Location: ENDING YOUR ONLINE EXPERIENCE!
Joined: 01.01.06
Rank:
God
Posted on 09-03-08 22:14
Damn dude that's too bad I'm sure we could have fixed it. Oh well next time. I use this:http://us.mcafee.. . .virusInfo/ for virus info plus my own list I've compiled over the years.

PS:We got about 8 inches of snow so far, It sucks.


i57.photobucket.com/albums/g215/korg1269/shodan13.jpg

I deal in pain, All life I drain, I dominate, I seal your fate.
O R