Fresh Install Hacker Still Trying To Break In and Making Threats

[Guest]

[Rodney Peterson]

Unrelated to my problem but figured someone here who lives in the Los Angeles area like I do might financially benefit from this. I've been looking for part time jobs and came across this just now on Craigslist:

Hi there: This is just a one-time job but I am willing to reasonably compensate someone for it. I am looking for someone who is very good at dealing with computer problems to retrieve most of the files from my old computer's internal hard drive and upload them to an external hard disk drive. It is a black 15" Dell Inspiron 1525 laptop or notebook computer that I purchased from Best Buy around July 2008. It suddenly stopped working within the past couple of weeks. I believe that there is some sort of problem with the internal hard drive because I found postings on the Internet suggesting that this problem is very common among Dell computers. The computer now makes a clicking noise when the power is turned on. It also has some sort of error message stating the computer has "no bootable device." Please send an email with information about your credentials, the type of equipment that you have to retrieve the files for me or that I need to buy for you, the amount of compensation you want, and the amount of estimated time this task will take.

Here's the E-Mail if anyone would like to follow through and talk to the guy:

job-ubr9a-1487490701[at]craigslist.org

[jay2007tech]

As for dell computers, I know based on what I seen is they tend to be underpowered. <---general info

anyway,

72.9.241.58, 208.71.113.221, 89.138.127.201, 202.73.10.67, 91.62.31.55, 84.108.5.5

IP address [?]:      72.9.241.58    [Whois]  [Reverse IP]
IP country code:    US
IP address country:    ip address flag United States
IP address state:    Georgia
IP address city:    Atlanta
IP postcode:    30310
IP address latitude:    33.7257
IP address longitude:    -84.4309
ISP of this IP [?]:    Global Net Access
Organization:    Comodo
Local time in United States:    2009-11-30 08:18

IP address [?]:      208.71.113.221    [Whois]  [Reverse IP]
IP country code:    CA
IP address country:    ip address flag Canada
IP address state:    Ontario
IP address city:    Toronto
IP postcode:    m5j2n1
IP address latitude:    43.6667
IP address longitude:    -79.4167
ISP of this IP [?]:    Neutral Data Centers Corp.
Organization:    Neutral Data Centers Corp.
Local time in Canada:    2009-11-30 07:19

IP address [?]:      89.138.127.201    [Whois]  [Reverse IP]
IP country code:    IL
IP address country:    ip address flag Israel
IP address state:    please signup
IP address city:    please signup
IP address latitude:    please signup
IP address longitude:    please signup
ISP of this IP [?]:    please signup
Organization:    please signup

IP address [?]:      202.73.10.67    [Whois]  [Reverse IP]
IP country code:    MY
IP address country:    ip address flag Malaysia
IP address state:    please signup
IP address city:    please signup
IP address latitude:    please signup
IP address longitude:    please signup
ISP of this IP [?]:    please signup
Organization:    please signup

IP address [?]:      91.62.31.55    [Whois]  [Reverse IP]
IP country code:    DE
IP address country:    ip address flag Germany
IP address state:    please signup
IP address city:    please signup
IP address latitude:    please signup
IP address longitude:    please signup
ISP of this IP [?]:    please signup
Organization:    please signup

IP address [?]:      84.108.5.5    [Whois]  [Reverse IP]
IP country code:    IL
IP address country:    ip address flag Israel
IP address state:    please signup
IP address city:    please signup
IP address latitude:    please signup
IP address longitude:    please signup
ISP of this IP [?]:    please signup
Organization:    please signup

Your attacker is probably using a proxy based on this

You should report this to your local fbi office, on the phone(preferably NOTUSING YOUR IPHONE) including the ip addresses with the contry names and everything else you have avaiable,  call your ISP company and ask for your complete records of internet useage and ask for a pen trace and to have it monitored if possible.

[Rodney Peterson]

Comodo has been added to my list of inacessable websites from computer (iPhone here again)

I was at the FBI when this started a few times and recently filed with IC3. They apparently do nothing or take forever.

The iPhone is probably more secure right now with a new set of software and a password worse comes to worst I restore it again.

I'm guessing the problem with comodo and other web sites is a stealth redirect.

And there's this:


Comodo set uplinksy bot spyware Trojan toolbar hack 5127 no stopping now asswipe

(Comodo is once again accessible from the internet almost as soon as I typed this post before the edit here-part of the time these guys are dangerous-then at other times they're just really, really annoying)

[jay2007tech]

By the way

You really should remove the 2 sentences that start with "By the way"  at least in the public forums here.

They apparently do nothing or take forever.

If they ever do anything, they'll never tell you the progress of your case, but your case my be too low of a priority for them to do anything about it too. 

1)Have you ever considered switching ISP companys for internet?

2)If your not going to be downloading software, have you concidered using the "guest account for logging on the computer.  A lot of infections rely on administrator access.

MOST IMPORTANLY, this is what I put on my pop's computer because I got tired of fixing it. 
3)Why don't you use windows steadystate, It's just like comodo time machine
http://www.microsoft.com/downloads/details.aspx?FamilyId=D077A52D-93E9-4B02-BD95-9D770CCDB431&displaylang=en#Requirements

When your computer is perfect and using steadystate, if your computer gets infected.  It won't be a big deal.  Just don't save anything on shutdown.    The only time something gets saved on the computer is if  you click on save iteams on shutdown(something like that
A good example
I can intentally infect myself with some of the nastiest stuff, but if I don't save the changes during shutdown, nothing gets saved.  It'll go back the way it was, the time before

Please read about microsoft steadystate when you have time.  <-----This might be your only solution, next to using linux.


BTW, LAPD really doesn't know much about computer attacking

[Rodney Peterson]

I'll try that-I recently did switch ISP's from a wired connection to wireless-and the problems worsened.

How is it even possible to save anything during shutdown? You mean some people do it after the process has started?

Oh-and you're likely right about the FBI considering individual computer attacks low priority. Anyone can see there are real world problems out there involving violent crime and high dollar crime they use their resources on first. If he was doing this to CNN or a high profile company, it would be a different set of priorties. We've found the same with the cell phone companies-that the problem is widespread.

[Rodney Peterson]

Good suggestion unfortunately Windows Steady State is not supported by 64 bit machines.

Guess I should read about Comodo Time Machine.

Okay something for you Time Machine guys to work on-and a very good app from everything I see-but I can't use it because it doesn't support RAID drives. Yet.

As one poster here suggested I'm definitely considering changing the screen name here but if I'm being monitored at my every move that really wouldn't help much. Still, if a new thread becomes a necessity I'll likely do that.

[eXPerience]

Hi,

Can you please make some screenshots of the following items, scroll down if they don't fit in 1 shot. Look here on how to make those

- active firewall connections (under the tab : Firewall)
- running processes (under the tab: defense+)

and another hijackthis log please.  http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

thanks,
eXp

[Rodney Peterson]

A little bit of difficulty with the photos but here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:06 AM, on 11/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\Sony\VAIO Care\listener.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files (x86)\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe
C:\Program Files (x86)\COMODO\livePCsupport\ELPS.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe
C:\PROGRA~2\MICROS~1\WkDStore.exe
C:\PROGRA~2\MICROS~1\wkgdcach.exe
C:\PROGRA~2\MICROS~1\WksWP.exe
C:\PROGRA~2\GRETECH\GOMPLA~1\GOM.exe
C:\Program Files (x86)\FastStone Capture\FSCapture.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe  startup
O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe"
O4 - HKLM\..\Run: [VAIOSurvey] "C:\Program Files (x86)\Sony\VAIO Survey\VAIO Sat Survey.exe"
O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe"
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [AML] "C:\Program Files (x86)\Sony\VAIO Launcher\AML.exe" InitApp
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files (x86)\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [COMODO livePCsupport] "C:\Program Files (x86)\COMODO\livePCsupport\ELPS.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O15 - Trusted Zone: www.corel.com
O15 - Trusted Zone: http://*.corel.com
O15 - Trusted Zone: www.intervideo.com
O15 - Trusted Zone: http://*.intervideo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9830818-346D-413E-B4D2-7D66711152D8}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{E126FC9B-0BF3-4390-AEEC-CC3EC69FC5A8}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{A9830818-346D-413E-B4D2-7D66711152D8}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{A9830818-346D-413E-B4D2-7D66711152D8}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files (x86)\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs:  C:\Windows\SysWOW64\guard32.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: [at]%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: [at]dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: IviRegMgr - InterVideo - c:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: [at]keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: [at]comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: [at]%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe
O23 - Service: [at]%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: [at]%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Windows\RtkAudioService.exe
O23 - Service: Intel(R) Sample Collector (SampleCollector) - Intel Corporation - C:\Program Files\Sony\VAIO Care\collsvc.exe
O23 - Service: [at]%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe
O23 - Service: [at]%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe
O23 - Service: [at]%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Power Management - Sony Corporation - C:\Program Files\Sony\VAIO Power Management\SPMService.exe
O23 - Service: VAIO Content Folder Watcher (VCFw) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: [at]%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: [at]%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: [at]%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: [at]%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 12519 bytes

[jay2007tech]

Let's get the easy ones out of the way first and it'll make it easier

1)C:\Program Files\Sony\VAIO Care\listener.exe  <-- delete

3)C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe  <--do you use bluetooth??

4)C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe  <--do you need sony to remind you of updates??

5)C:\PROGRA~2\MICROS~1\WkDStore.exe  <---Do you use Microsoft works??

6)C:\PROGRA~2\MICROS~1\wkgdcach.exe<---Do you use Microsoft works??

7)C:\PROGRA~2\MICROS~1\WksWP.exe <--Do you use word processor for microsoft works??

8)C:\PROGRA~2\GRETECH\GOMPLA~1\GOM.exe  <--This isn't privacy friendly (gom player).  Ever concidered "VLC Player"  it's open source

9)C:\Program Files (x86)\FastStone Capture\FSCapture.exe <---this takes picures of your screen,  do you use this??

10)R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = <---delete

11)F2 - REG:system.ini: UserInit=userinit.exe  <---90% sure you can safley delete this,  remember you have a backup copy

12)O1 - Hosts: ::1 localhost  <----delete

13)O2 - BHO: Partner BHO Class - {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\partner.dll <---delete

14)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll  <---do you use google tool bar

15)O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll  <--do you use google toolbar

16)O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar.dll  <--do you use google toolbar

17)O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe" <-----do you really need this,  self explanatory

18)O4 - HKLM\..\Run: [VAIOSurvey] "C:\Program Files (x86)\Sony\VAIO Survey\VAIO Sat Survey.exe" <--If your not going to do the survey, delete

19)O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm  <--do you use bluetooth

20)O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm  <--do you use bluetooth

21)O23 - Service: [at]keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)  <---90% sure you can delete this,  you still have the backup

22)O23 - Service: [at]%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) <--<---90% sure you can delete this,  you still have the backup

23)O4 - Global Startup: Bluetooth.lnk = ?  <--do you use bluetooth

24)O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm <--do you use bluetooth

25)O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm  <---do you use bluetooth

26)O17 - HKLM\System\CCS\Services\Tcpip\..\{A9830818-346D-413E-B4D2-7D66711152D8}: NameServer = 156.154.70.22,156.154.71.22  <---these 4 are comodo dns servers, do you use them
O17 - HKLM\System\CCS\Services\Tcpip\..\{E126FC9B-0BF3-4390-AEEC-CC3EC69FC5A8}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{A9830818-346D-413E-B4D2-7D66711152D8}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{A9830818-346D-413E-B4D2-7D66711152D8}: NameServer = 156.154.70.22,156.154.71.22
after this, create a new hijack this log and post here

[eXPerience]

Here's my go at it :

Possible unwanted :

[?] - C:\Program Files\Sony\VAIO Care\listener.exe
[?] - C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe
[?] - C:\Program Files\Sony\VAIO Reminder\VAIOReminder.exe
[?] - F2 - REG:system.ini: UserInit=userinit.exe
[?] - O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe"
[?] - O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe"
[?] - O23 - Service: Realtek Audio Service (RtkAudioService) - Realtek Semiconductor - C:\Windows\RtkAudioService.exe
[?] - O23 - Service: Intel(R) Sample Collector (SampleCollector) - Intel Corporation - C:\Program Files\Sony\VAIO Care\collsvc.exe
[?] - O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe
[?] - O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe
[?] - O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe
[?] - O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe

Must fixes :

[X] - O13 - Gopher Prefix:

Fixes because of no-use anymore :

[X] - O23 - Service: [at]%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
[?] - O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)
[X] - O23 - Service: [at]%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
[X] - O23 - Service: [at]%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
[X] - O23 - Service: [at]%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
[X] - O23 - Service: [at]%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
[X] - O23 - Service: [at]%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
[?] - O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
[?] - O23 - Service: [at]dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
[X] - O23 - Service: [at]%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
[X] - O23 - Service: [at]%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
[X] - O23 - Service: [at]%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)

Do you know this IP adress (please check the Comodo DNS against it), if you do not, fix it :

Deleted as they're indeed from Comodo DNS

note : you can look at Jaytechs (hey there btw ) descriptions for the possible unwanteds !

eXp

[Ronny]

eXp, those are Comodo's Secure DNS servers 

[Rodney Peterson]

Just got back Bluetooth is part of the problem and I always block anything to do with it. The toolbars are almost always unwanted. How do I delete-run the Hijack This log and just delete those apps from the list by clicking delete? I do use word processor and Microsoft works. The capture this I just added for the purpose of taking pics of the Firewall and other Comodo applications. There's a setting on the firewall we changed in VPN and it seems everytime I change it it never sticks-apparently it has something to do with Bluetooth. (I've never used Bluetooth.)

Whenever I do a clean install (and I don't know why I can't do one from recovery discs like I used to be able to) there is always an unsafe Windows32 program with a remote administrator it always catches and quarantines.

[jay2007tech]

My best guess is it's using the bluetooth exploit

there is one easy solution

go to run, type in
regedit

right click on it, only 1 click to highlight HKEY_CLASSES_ROOT  
search for
bluetooth
delete all  files with the word bluetooth

when your done in the registry, use windows explorer and search for bluetooth

delete all the bluetooth's that  you can find, There many be 1 or 2 files wwindows won't let it delete, but it's no big deal,  

in simple terms,  your crippling any form of supoort for bluetooth.  
THIS MIGHT BE THE SOLUTION,
If you every have to reinstall windows, search and delete bluetooth.  before going online

 

This solution is to cripple bluetooth:  commando soldier style

[panic]

If it's bluetooth, then surely the offender is within 15 metres of you. 4 X 2 would do the trick. 

[Rodney Peterson]

Are you saying its a waste of time to disable the Bluetooth capabilities even though they show up on GMER's log of questionable files? Because I just spent quite a bit of time going through the Bluetooth reg edit process and if part of the way in was spoofing through the IPhone (I would always get these types of calls-laughing and hanging up-as I was just ending the fresh factory install process and often in the middle of the night also-after a while I started turning off my phone during the installs but the calls would always come soon after that anyway) then the Bluetooth thing makes sense to me and isn't required to use the minimal remote transfer distance (which would be possible anyway from the IPhone in my apartment if it was close to my computer when the calls came in.)

Anyway I deleted the BT Stack server items-there were dozens of those in registry-and a few other things plus three Bluetooth items that came up in a general search after.

I made some notes of some things I found during the process:

MSOlapAdmin2.MSOLAP (there were a ton of these-I didn't delete them but it looks like Administrator 2 so could be planted but I'm not sure-also these files had sub directories of CLSID (which I'm pretty sure is Comodo from as often as I've seen those abbreviations by now.)

One of the BT items I deleted was called BTTraceControl

There were some things I left because I'm unsure if they have anything to do with Bluetooth:

For example:

BTNCopy.Monitor (sub-directories CLISD and CurVer)

BTOfficeAddin.BTAccess.Sink1 (sub-directory CLSID) (there were quite a few of these BT Office Addins.

BtSendto_I.E. BTIntegration (sub-directories CLSID)

BITS

btwdins.exe

BtwHtml.renderer.DLL
BtwNameSpaceExt.DLL
Bthidex.BtHidExt.1 (sub-directory CLSID) (notable for for what looks like an abbreviation for hidden)

BTNCopy.BtwSendtoExplorer (sub-directories CLSID and CurVer) and the same thing with a .1 added after SendtoExplorer with the CLSID sub-directory only)

and finally this one:

System.UnauthorizedAccessException (with the sub-directory CLSID)

Thought I'd throw this out there too if anyone in the Los Angeles area is interested in talking to me further, taking a look at the computer and perhaps developing a friendship I have a $150 gift certificate to the Palm Restaurant chain I need to use in the next two weeks before it expires-it's a renowned steak, lobster and fish chain and a showbiz hangout-they have many locations closet to me is on Santa Monica Boulevard in West Hollywood near Beverly Hills other locations include Ceasar's Palace in Las Vegas and many others. It would be a nice way of saying thank you and might be fun. If you want to know more about me (and a number of things I'm doing including a film/book I'm writing, Cutting Confessions, you can find me and it here:

www.myspace.com/370392338

Just thought I'd throw that out there since it might be fun and I need to use the certificate.

The other stuff I'll get to a little later, maybe tomorrow or Wednesday if the computer runs well and doesn't need another reinstall before then.

[Tags:]