[Schrtz987]

• I have a Sony Vaio VGN-FW139E Laptop that recently came across massive spyware and trojans. I tried all I could to get rid of the files through any Anti Virus/Malaware program I could find until none of the programs would even update (Malaware Bytes/Spyware Doctor/SuperAntiSpyware/Avast).....
  
• I do have Vaio Recovery Center so I Burned the Recovery CD's onto a DVD disk and then 'Restored C-Drive' through the Recovery Center (I didnt need to insert the Recovery Disks at all during this)
  
• The minute that got finished the computer was still infected with this trojan called "Troj/Rustok-N"...I downloaded and updated Avira but it didnt detect the Troj/Rustok-N, but certain website I tried surfing told me I had it and wouldnt let me view the websites.
  
• I called Sony and they told me to Insert my Recovery Disks and complete a 'Restore Complete System' and again-I still had the Malaware and Trojans on my computer.
  
• Everytime I scan with a non-updated Scanner, it never detects anything but when im surfing the internet, I get directed to numerous spyware pages ect.... So I know I have more than just Troj/Rustok-N....I beleive everything is in my Registry...
  
• I believe that when I recently burned my Recovery disdks, all the bad trojans and whatnot got transfered over to my recovery disk?
  
• Attached are my Logs and attachments. Please take a look at them and tell me what you think.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Trenton at 13:35:53.66 on Mon 05/11/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1986 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\RtkAudioService.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Trenton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
uDefault_Page_URL = hxxp://www.sony.com/vaiopeople
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0\bin\jusched.exe"
mRun: [AML] c:\program files\sony\vaio launcher\AML.exe InitApp
mRun: [VAIOMyMemCenter] "c:\program files\sony\vaio my memory center\VAIO MyMemCenter.exe" 1
mRun: [VWLASU] "c:\program files\sony\vaio wireless wizard\AutoLaunchWLASU.exe"
mRun: [VAIO Help and Support Demo] "c:\program files\sony\vaio help and support demo\LaunchVHSD.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\trenton\appdata\roaming\mozilla\firefox\profiles\y0ahswsz.default\
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-11 108289]
R2 RtkHDMIService;RtkHDMIService;c:\windows\RTKAUDIOSERVICE.EXE [2008-6-5 98304]
R2 VAIO Power Management;VAIO Power Management;c:\program files\sony\vaio power management\SPMService.exe [2008-6-5 411488]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-6-5 28464]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-6-5 9344]
S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\sony\vaio media plus\SOHCImp.exe [2009-5-11 104288]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\sony\vaio media plus\SOHDms.exe [2009-5-11 350048]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\sony\vaio media plus\SOHDs.exe [2009-5-11 63328]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-6-5 333088]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-6-5 87328]

=============== Created Last 30 ================

2009-05-11 12:36 40 -------- c:\windows\system32\ivireg.ivr
2009-05-11 12:30 1,645,320 -------- c:\windows\system32\gdiplus.dll
2009-05-11 12:29 212,480 -------- c:\windows\system32\PCDLIB32.DLL
2009-05-11 12:29 55,808 -------- c:\windows\system32\ArcSoftKsUFilter.dll
2009-05-11 12:29 245,408 -------- c:\windows\system32\unicows.dll
2009-05-11 12:26 <DIR> --d----- c:\program files\ATI Technologies
2009-05-11 12:26 <DIR> --d----- c:\program files\ATI
2009-05-11 12:20 21,954,560 a------- c:\windows\ocsetup_install_OEMHelpCustomization.etl
2009-05-11 12:20 196,608 a------- c:\windows\ocsetup_cbs_install_OEMHelpCustomization.perf
2009-05-11 12:20 65,536 a------- c:\windows\ocsetup_cbs_install_OEMHelpCustomization.dpx
2009-05-11 12:19 <DIR> --d----- c:\programdata\Uninstall
2009-05-11 12:19 <DIR> --d----- c:\progra~2\Uninstall
2009-05-11 12:19 <DIR> --d----- c:\programdata\Sonic
2009-05-11 12:18 0 -------- c:\windows\system32\104D_SONY_VGN-FW139E.mrk
2009-05-11 12:18 0 -------- c:\windows\system32\drivers\Sony_VGN-FW139E.mrk
2009-05-11 12:18 <DIR> --d----- c:\program files\OCA Marker
2009-05-11 12:17 <DIR> --d----- c:\programdata\Corel
2009-05-11 12:17 <DIR> --d----- c:\progra~2\Corel
2009-05-11 12:14 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live Staging
2009-05-11 12:13 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2009-05-11 12:12 <DIR> --d----- c:\program files\Microsoft Office Suite Activation Assistant
2009-05-11 12:11 32,592 -------- c:\windows\system32\msonpmon.dll
2009-05-11 12:09 <DIR> --d----- c:\programdata\Microsoft Help
2009-05-11 12:08 <DIR> --d----- c:\program files\common files\supportsoft
2009-05-11 12:08 3,518,464 -------- c:\windows\system32\cdintf300.dll
2009-05-11 12:08 1,843,200 -------- c:\windows\system32\acXMLParser.dll
2009-05-11 12:07 <DIR> --d----- c:\programdata\Intuit
2009-05-11 12:07 <DIR> --d----- c:\program files\Intuit
2009-05-11 12:07 <DIR> --d----- c:\program files\common files\Intuit
2009-05-11 12:07 <DIR> --d----- c:\progra~2\Intuit
2009-05-11 12:06 <DIR> --d----- c:\programdata\COMMON FILES
2009-05-11 12:06 <DIR> --d----- c:\progra~2\COMMON FILES
2009-05-11 12:06 <DIR> --d----- c:\program files\MSXML 4.0
2009-05-11 12:02 <DIR> --d----- c:\program files\Online Services
2009-05-11 12:02 <DIR> --d----- c:\programdata\SmartWi Connection Utility
2009-05-11 12:02 <DIR> --d----- c:\progra~2\SmartWi Connection Utility
2009-05-11 11:53 <DIR> --d----- c:\program files\common files\Steam
2009-05-11 11:53 <DIR> --d----- c:\program files\Steam
2009-05-11 11:45 <DIR> a-d----- c:\programdata\TEMP
2009-05-11 11:43 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-05-11 11:43 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-05-11 11:43 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-05-11 11:43 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-05-11 11:43 75,264 a------- c:\windows\system32\unacev2.dll
2009-05-11 11:43 <DIR> --d----- c:\users\trenton\appdata\roaming\Simply Super Software
2009-05-11 11:43 <DIR> --d----- c:\programdata\Simply Super Software
2009-05-11 11:43 <DIR> --d----- c:\program files\Trojan Remover
2009-05-11 11:43 <DIR> --d----- c:\progra~2\Simply Super Software
2009-05-11 11:33 37,440 a------- c:\windows\system32\drivers\msfwhlpr.sys
2009-05-11 11:33 91,200 a------- c:\windows\system32\drivers\msfwdrv.sys
2009-05-11 11:33 53,168 a------- c:\windows\system32\drivers\MpFilter.sys
2009-05-11 11:32 <DIR> --d----- c:\windows\PCHEALTH
2009-05-11 11:29 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-11 11:29 <DIR> --d----- c:\programdata\Avira
2009-05-11 11:29 <DIR> --d----- c:\program files\Avira
2009-05-11 11:29 <DIR> --d----- c:\progra~2\Avira
2009-05-11 11:24 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-05-11 11:24 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-05-11 11:23 <DIR> --d----- c:\users\trenton\appdata\roaming\SUPERAntiSpyware.com
2009-05-11 11:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-11 11:23 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-11 11:21 <DIR> --d----- c:\users\trenton\appdata\roaming\Malwarebytes
2009-05-11 11:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-11 11:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-11 11:21 <DIR> --d----- c:\programdata\Malwarebytes
2009-05-11 11:21 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-11 11:21 <DIR> --d----- c:\progra~2\Malwarebytes
2009-05-11 11:04 146 a------- c:\windows\WININIT.INI
2009-05-11 10:46 <DIR> --d----- c:\users\trenton\Bluetooth Software
2009-05-11 10:46 <DIR> --d----- c:\programdata\ATI
2009-05-11 10:45 <DIR> --d----- c:\users\Trenton

==================== Find3M ====================

2009-05-11 12:08 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-11 12:08 86,016 a------- c:\windows\inf\infstor.dat
2009-05-11 12:08 51,200 a------- c:\windows\inf\infpub.dat
2008-06-05 12:52 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:36:14.67 ===============

 

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

 

[Schrtz987]

***BUMP***
Thank you!

 

[Schrtz987]

I have disabled all my Anti Virus/Spyware and ComboFix will not run. I keep getting an internal error...???

 

[chemist]

What does the error message say?

 

[Schrtz987]

ComboFix worked the 2nd time around for some reason. Here is my combofix.text...Ans again, thanks for looking into this. This is the only forum that has given me any help!

ComboFix 09-05-13.04 - Trenton 05/14/2009 9:34.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.2178 [GMT -5:00]
Running from: c:\users\Trenton\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Windows Live OneCare *enabled* (Updated) {CC7E50BA-BA8C-4DDE-B5AC-EA53BC38D01B}
.

((((((((((((((((((((((((( Files Created from 2009-04-14 to 2009-05-14 )))))))))))))))))))))))))))))))
.

2009-05-12 20:12 . 2009-05-12 20:12 -------- d-----w c:\users\Trenton\AppData\Roaming\vlc
2009-05-12 20:11 . 2009-05-12 20:11 -------- d-----w c:\program files\VideoLAN
2009-05-12 16:49 . 2009-05-13 19:11 -------- d-----w C:\Downloads
2009-05-12 16:34 . 2009-05-12 16:39 -------- d-----w c:\users\Trenton\Downloads
2009-05-12 16:15 . 2009-05-12 16:16 -------- d-----w c:\program files\QuickTime
2009-05-12 16:15 . 2009-05-12 16:15 -------- d-----w c:\programdata\Apple Computer
2009-05-12 16:15 . 2009-05-12 16:15 -------- d-----w c:\users\All Users\Apple Computer
2009-05-12 16:15 . 2009-05-12 16:15 -------- d-----w c:\users\Trenton\AppData\Local\Apple
2009-05-12 16:15 . 2009-05-12 16:15 -------- d-----w c:\program files\Apple Software Update
2009-05-12 16:15 . 2009-05-12 16:15 -------- d-----w c:\programdata\Apple
2009-05-12 16:15 . 2009-05-12 16:15 -------- d-----w c:\users\All Users\Apple
2009-05-12 16:05 . 2009-05-12 16:06 -------- d-----w c:\users\Trenton\.housecall6.6
2009-05-11 19:25 . 2009-05-11 19:25 -------- d-----w c:\program files\Trend Micro
2009-05-11 18:11 . 2009-05-11 18:11 -------- d-----w c:\users\Trenton\AppData\Local\Adobe
2009-05-11 17:30 . 2009-05-11 17:30 -------- d-----w c:\program files\Common Files\ArcSoft
2009-05-11 17:30 . 2004-05-04 18:53 1645320 ------w c:\windows\system32\gdiplus.dll
2009-05-11 17:29 . 1995-07-31 20:44 212480 ------w c:\windows\system32\PCDLIB32.DLL
2009-05-11 17:29 . 2008-01-29 02:28 55808 ------w c:\windows\system32\ArcSoftKsUFilter.dll
2009-05-11 17:29 . 2005-04-27 23:36 245408 ------w c:\windows\system32\unicows.dll
2009-05-11 17:29 . 2009-05-11 16:14 -------- d-----w c:\program files\ArcSoft
2009-05-11 17:26 . 2009-05-11 17:27 -------- d-----w c:\program files\ATI Technologies
2009-05-11 17:26 . 2009-05-11 17:26 -------- d-----w c:\program files\ATI
2009-05-11 17:19 . 2009-05-11 17:19 -------- d-----w c:\programdata\Uninstall
2009-05-11 17:19 . 2009-05-11 17:19 -------- d-----w c:\users\All Users\Uninstall
2009-05-11 17:19 . 2009-05-11 17:19 -------- d-----w c:\programdata\Sonic
2009-05-11 17:19 . 2009-05-11 17:19 -------- d-----w c:\users\All Users\Sonic
2009-05-11 17:18 . 2009-05-11 17:18 -------- d-----w c:\program files\OCA Marker
2009-05-11 17:17 . 2009-05-11 17:17 -------- d-----w c:\programdata\Corel
2009-05-11 17:17 . 2009-05-11 17:17 -------- d-----w c:\users\All Users\Corel
2009-05-11 17:14 . 2009-05-11 16:33 -------- dc----w c:\windows\system32\DRVSTORE
2009-05-11 17:13 . 2009-05-14 14:29 -------- d-----w c:\program files\Microsoft Windows OneCare Live
2009-05-11 17:12 . 2009-05-11 17:12 -------- d-----w c:\program files\Microsoft Office Suite Activation Assistant
2009-05-11 17:11 . 2006-10-27 02:56 32592 ------w c:\windows\system32\msonpmon.dll
2009-05-11 17:09 . 2009-05-11 15:55 -------- d-----w c:\programdata\Microsoft Help
2009-05-11 17:09 . 2009-05-11 15:55 -------- d-----w c:\users\All Users\Microsoft Help
2009-05-11 17:08 . 2009-05-11 17:08 -------- d-----w c:\program files\Common Files\supportsoft
2009-05-11 17:08 . 2007-06-28 21:09 1843200 ------w c:\windows\system32\acXMLParser.dll
2009-05-11 17:08 . 2007-07-30 21:44 3518464 ------w c:\windows\system32\cdintf300.dll
2009-05-11 17:07 . 2009-05-11 17:07 -------- d-----w c:\program files\Common Files\Intuit
2009-05-11 17:07 . 2009-05-11 17:35 -------- d-----w c:\programdata\Intuit
2009-05-11 17:07 . 2009-05-11 17:35 -------- d-----w c:\users\All Users\Intuit
2009-05-11 17:07 . 2009-05-11 17:07 -------- d-----w c:\program files\Intuit
2009-05-11 17:06 . 2009-05-11 17:06 -------- d-----w c:\programdata\COMMON FILES
2009-05-11 17:06 . 2009-05-11 17:06 -------- d-----w c:\users\All Users\COMMON FILES
2009-05-11 17:06 . 2009-05-11 17:06 -------- d-----w c:\program files\MSXML 4.0
2009-05-11 17:04 . 2009-05-11 15:57 -------- d-----w c:\program files\Microsoft Works
2009-05-11 17:02 . 2009-05-11 17:02 -------- d-----w c:\programdata\SmartWi Connection Utility
2009-05-11 17:02 . 2009-05-11 17:02 -------- d-----w c:\users\All Users\SmartWi Connection Utility
2009-05-11 16:53 . 2009-05-11 17:54 -------- d-----w c:\program files\Common Files\Steam
2009-05-11 16:53 . 2009-05-14 14:30 -------- d-----w c:\program files\Steam
2009-05-11 16:45 . 2009-05-11 17:53 -------- d---a-w c:\programdata\TEMP
2009-05-11 16:45 . 2009-05-11 17:53 -------- d---a-w c:\users\All Users\TEMP
2009-05-11 16:43 . 2005-08-26 06:50 77312 ----a-w c:\windows\system32\ztvunace26.dll
2009-05-11 16:43 . 2006-05-25 20:52 162304 ----a-w c:\windows\system32\ztvunrar36.dll
2009-05-11 16:43 . 2006-06-19 18:01 69632 ----a-w c:\windows\system32\ztvcabinet.dll
2009-05-11 16:43 . 2002-03-06 06:00 75264 ----a-w c:\windows\system32\unacev2.dll
2009-05-11 16:43 . 2003-02-03 01:06 153088 ----a-w c:\windows\system32\UNRAR3.dll
2009-05-11 16:43 . 2009-05-11 16:43 -------- d-----w c:\programdata\Simply Super Software
2009-05-11 16:43 . 2009-05-11 16:43 -------- d-----w c:\users\All Users\Simply Super Software
2009-05-11 16:43 . 2009-05-11 16:43 -------- d-----w c:\program files\Trojan Remover
2009-05-11 16:43 . 2009-05-11 16:43 -------- d-----w c:\users\Trenton\AppData\Roaming\Simply Super Software
2009-05-11 16:33 . 2007-11-28 03:44 37440 ----a-w c:\windows\system32\drivers\msfwhlpr.sys
2009-05-11 16:33 . 2007-11-28 03:45 91200 ----a-w c:\windows\system32\drivers\msfwdrv.sys
2009-05-11 16:33 . 2008-05-15 21:15 53168 ----a-w c:\windows\system32\drivers\MpFilter.sys
2009-05-11 16:32 . 2009-05-11 16:32 -------- d-----w c:\windows\PCHEALTH
2009-05-11 16:29 . 2009-03-24 21:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-11 16:29 . 2009-05-11 16:29 -------- d-----w c:\program files\Avira
2009-05-11 16:29 . 2009-05-11 16:29 -------- d-----w c:\programdata\Avira
2009-05-11 16:29 . 2009-05-11 16:29 -------- d-----w c:\users\All Users\Avira
2009-05-11 16:24 . 2009-05-11 16:24 -------- d-----w c:\programdata\SUPERAntiSpyware.com
2009-05-11 16:24 . 2009-05-11 16:24 -------- d-----w c:\users\All Users\SUPERAntiSpyware.com
2009-05-11 16:23 . 2009-05-11 16:23 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-11 16:23 . 2009-05-11 16:23 -------- d-----w c:\users\Trenton\AppData\Roaming\SUPERAntiSpyware.com
2009-05-11 16:23 . 2009-05-11 16:23 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-11 16:21 . 2009-05-11 16:21 -------- d-----w c:\users\Trenton\AppData\Roaming\Malwarebytes
2009-05-11 16:21 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-11 16:21 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-11 16:21 . 2009-05-11 16:21 -------- d-----w c:\programdata\Malwarebytes
2009-05-11 16:21 . 2009-05-11 16:21 -------- d-----w c:\users\All Users\Malwarebytes
2009-05-11 16:21 . 2009-05-11 16:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-11 16:20 . 2009-05-11 16:20 -------- d-----w c:\users\Trenton\AppData\Local\Mozilla
2009-05-11 15:50 . 2009-05-11 15:50 -------- d-----w c:\users\Administrator\Documents
2009-05-11 15:50 . 2009-05-11 15:50 -------- d-----w c:\users\Administrator
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w c:\users\Trenton\Bluetooth Software
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w c:\programdata\ATI
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w c:\users\All Users\ATI
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w c:\users\Trenton\AppData\Roaming\ATI
2009-05-11 15:46 . 2009-05-11 15:46 -------- d-----w c:\users\Trenton\AppData\Local\ATI
2009-05-11 15:41 . 2009-05-11 15:41 -------- d-----r c:\windows\system32\config\systemprofile\Contacts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 05:14 . 2008-06-05 17:29 12 ----a-w c:\windows\bthservsdp.dat
2009-05-11 17:33 . 2008-06-05 18:47 -------- d-----w c:\program files\Sony
2009-05-11 17:29 . 2008-06-05 18:10 -------- d-----w c:\program files\Common Files\InstallShield
2009-05-11 17:18 . 2009-05-11 17:18 0 ------w c:\windows\system32\drivers\Sony_VGN-FW139E.mrk
2009-05-11 16:33 . 2008-06-05 18:56 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-05-11 16:15 . 2009-05-11 15:45 80104 ----a-w c:\users\Trenton\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-11 15:59 . 2008-06-05 18:10 -------- d--h--w c:\program files\InstallShield Installation Information
2008-01-21 02:43 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]
"Steam"="c:\program files\Steam\Steam.exe" [2009-05-11 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 122880]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2008-04-04 317280]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe" [2008-06-05 77824]
"AML"="c:\program files\Sony\VAIO Launcher\AML.exe" [2008-03-26 1093632]
"VAIOMyMemCenter"="c:\program files\Sony\VAIO My Memory Center\VAIO MyMemCenter.exe" [2008-02-29 679936]
"VWLASU"="c:\program files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe" [2008-02-19 24576]
"VAIO Help and Support Demo"="c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe" [2007-08-28 290816]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-05-10 1059208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-29 6111232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2008-05-16 00:20 98304 ------w c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C6E1E999-D0BF-4539-AB00-5784D17EE282}"= UDP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{45C8C439-2C4B-46A1-85B7-66F6BC628AE4}"= TCP:c:\program files\Malwarebytes' Anti-Malware\mbam.exe:Malwarebytes' Anti-Malware
"{B1094518-D99F-4CEA-A111-4A60F505BF3C}"= UDP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{4E51A9A5-68FF-4024-9CD8-98093A94E180}"= TCP:c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe:SUPERAntiSpyware Free Edition
"{35680060-6F6C-45E0-87E4-E379CA573E6A}"= UDP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start
"{B60DC64F-6968-4669-B41C-DE6F16DD1F36}"= TCP:c:\program files\SUPERAntiSpyware\RUNSAS.EXE:SUPERAntiSpyware Alternate Start

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/11/2009 11:29 AM 108289]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [3/22/2009 10:59 AM 24936]
R2 RtkHDMIService;RtkHDMIService;c:\windows\RTKAUDIOSERVICE.EXE [6/5/2008 1:12 PM 98304]
R2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe [6/5/2008 3:00 PM 411488]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [6/5/2008 1:19 PM 28464]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [6/5/2008 12:34 PM 9344]
S3 SOHCImp;VAIO Media plus Content Importer;c:\program files\Sony\VAIO Media plus\SOHCImp.exe [5/11/2009 12:23 PM 104288]
S3 SOHDms;VAIO Media plus Digital Media Server;c:\program files\Sony\VAIO Media plus\SOHDms.exe [5/11/2009 12:23 PM 350048]
S3 SOHDs;VAIO Media plus Device Searcher;c:\program files\Sony\VAIO Media plus\SOHDs.exe [5/11/2009 12:23 PM 63328]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [6/5/2008 1:58 PM 333088]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [6/5/2008 1:59 PM 87328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8805bdd-3fd5-11de-86cd-001e3deaad3b}]
\shell\AutoRun\command - G:\Autorun.exe /run
\shell\Shell00\Command - G:\Autorun.exe /run
\shell\Shell01\Command - G:\Autorun.exe /action
\shell\Shell02\Command - G:\Autorun.exe /uninstall
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Trenton\AppData\Roaming\Mozilla\Firefox\Profiles\y0ahswsz.default\
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\Trenton\AppData\Roaming\Mozilla\Firefox\Profiles\y0ahswsz.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-14 09:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1628)
c:\windows\system32\btncopy.dll
.
Completion time: 2009-05-14 9:37
ComboFix-quarantined-files.txt 2009-05-14 14:37

Pre-Run: 190,379,948,032 bytes free
Post-Run: 190,444,721,152 bytes free

220

 

[chemist]

Hello Schtrz987. ComboFix didn't find anything, and I'm not seeing anything amiss in your logs.

Are you still having the same problems? Please tell us how your system is behaving.

------------------------------------------------------

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s /q "c:\users\Trenton\.housecall6.6\quarantine"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
• Click Continue The page will refresh.
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start(or My Computer) > Control Panel and double-click on Programs and Features and remove all older versions of Java.
• Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u13-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Right-click ATF-Cleaner.exe and choose Run as Administrator to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista, you must open the Web browser via a right-click using the Run as Administrator command.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

 

[chemist]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------