Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:11 PM, on 11/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\iDumpPro\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 surety.microsoft.com
O1 - Hosts: 209.44.111.62 aware-protect.com
O1 - Hosts: 209.44.111.62 www.aware-protect.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.download.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: McAfee Application Installer Cleanup (0267091241971032) (0267091241971032mcinstcleanup) - Unknown owner - C:\DOCUME~1\Frank\LOCALS~1\Temp\026709~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
--
End of file - 13326 bytes
Full Version: Check up please
edit: oops ima paste stuff here when there done
ROOTER
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 4 Stepping 4, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.15 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:291 Go - Free:120 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
J:\ [CD_Rom]
K:\ [Removable]
.
Scan : 22:12.34
Path : C:\Documents and Settings\Frank\Desktop\Rooter.exe
User : Frank ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (752)
______ \??\C:\WINDOWS\system32\csrss.exe (800)
______ \??\C:\WINDOWS\system32\winlogon.exe (836)
______ C:\WINDOWS\system32\services.exe (880)
______ C:\WINDOWS\system32\lsass.exe (892)
______ C:\WINDOWS\system32\Ati2evxx.exe (1052)
______ C:\WINDOWS\system32\svchost.exe (1072)
______ C:\WINDOWS\system32\svchost.exe (1164)
______ C:\Program Files\Windows Defender\MsMpEng.exe (1260)
______ C:\WINDOWS\System32\svchost.exe (1300)
______ C:\WINDOWS\system32\svchost.exe (1392)
______ C:\WINDOWS\system32\svchost.exe (1516)
______ C:\WINDOWS\system32\spoolsv.exe (1620)
______ C:\WINDOWS\system32\Ati2evxx.exe (1676)
______ C:\WINDOWS\Explorer.EXE (256)
______ C:\WINDOWS\AGRSMMSG.exe (472)
______ C:\WINDOWS\ehome\ehtray.exe (480)
______ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (496)
______ C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe (528)
______ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (548)
______ C:\WINDOWS\system32\LVCOMSX.EXE (1220)
______ C:\Program Files\Logitech\Video\LogiTray.exe (1252)
______ C:\Program Files\QuickTime\QTTask.exe (1324)
______ C:\Program Files\iTunes\iTunesHelper.exe (1356)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1368)
______ C:\WINDOWS\system32\ctfmon.exe (1432)
______ C:\Program Files\LClock\lclock.exe (1484)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (1528)
______ C:\Program Files\AIM6\aim6.exe (1672)
______ C:\Program Files\Logitech\Video\FxSvr2.exe (1688)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (1724)
______ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (1948)
______ C:\Program Files\Messenger\msmsgs.exe (2012)
______ C:\Program Files\Rainlendar2\Rainlendar2.exe (2076)
______ C:\Program Files\Windows Media Player\WMPNSCFG.exe (2096)
______ C:\Program Files\SpywareGuard\sgmain.exe (2220)
______ C:\WINDOWS\system32\svchost.exe (2288)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (2420)
______ C:\Program Files\Bonjour\mDNSResponder.exe (2472)
______ C:\WINDOWS\eHome\ehRecvr.exe (2544)
______ C:\WINDOWS\eHome\ehSched.exe (2696)
______ C:\WINDOWS\System32\svchost.exe (2836)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe (2876)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2924)
______ C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (2992)
______ C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe (3156)
______ C:\Program Files\AIM6\aolsoftware.exe (3168)
______ C:\Program Files\SpywareGuard\sgbhp.exe (3224)
______ C:\Program Files\iDumpPro\NMSAccessU.exe (3240)
______ C:\WINDOWS\system32\PnkBstrA.exe (3312)
______ C:\WINDOWS\system32\PnkBstrB.exe (3476)
______ C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe (3520)
______ C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe (3552)
______ C:\WINDOWS\system32\svchost.exe (3632)
______ C:\WINDOWS\system32\svchost.exe (3704)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (3788)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (3832)
______ C:\WINDOWS\ehome\mcrdsvc.exe (3964)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (4048)
______ C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (4068)
______ C:\Program Files\iPod\bin\iPodService.exe (332)
______ C:\WINDOWS\system32\dllhost.exe (2524)
______ C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe (2640)
______ C:\WINDOWS\System32\alg.exe (3548)
______ C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (4156)
______ C:\Program Files\Mozilla Firefox\firefox.exe (4192)
______ C:\WINDOWS\eHome\ehmsas.exe (4208)
______ C:\Program Files\Java\jre6\bin\jucheck.exe (5220)
______ C:\Documents and Settings\Frank\Desktop\Rooter.exe (6112)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:7517873664)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:7517905920 | Length:312552414720)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1122231463-3557555321-1581213266-1005Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1122231463-3557555321-1581213266-1005UA.job
C:\WINDOWS\Tasks\MP Scheduled Scan.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
Rootkit! ... [HKLM\SYSTEM\ControlSet005\Enum\Root\LEGACY_TDSSSERV.SYS]
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\Frank\My Documents\Azureus Downloads\Call of Duty 2\keygen.exe
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 22:13.17
.
C:\Rooter$\Rooter_1.txt - (10/11/2009 | 22:13.17).c
LockSearch
LockSearch by jpshortstuff (05.11.09.1)
Log created at 22:14 on 10/11/2009 (Frank)
Scanning C:\
C:\hiberfil.sys
-------------------------
C:\pagefile.sys
-------------------------
C:\WINDOWS\system32\drivers\sptd.sys
-------------------------
C:\WINDOWS\system32\drivers\sptd.sys [Unable to get md5 : 717296 bytes]
-=E.O.F=-
ROOTER
Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 4 Stepping 4, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.15 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:291 Go - Free:120 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
G:\ [Removable]
H:\ [Removable]
I:\ [Removable]
J:\ [CD_Rom]
K:\ [Removable]
.
Scan : 22:12.34
Path : C:\Documents and Settings\Frank\Desktop\Rooter.exe
User : Frank ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (752)
______ \??\C:\WINDOWS\system32\csrss.exe (800)
______ \??\C:\WINDOWS\system32\winlogon.exe (836)
______ C:\WINDOWS\system32\services.exe (880)
______ C:\WINDOWS\system32\lsass.exe (892)
______ C:\WINDOWS\system32\Ati2evxx.exe (1052)
______ C:\WINDOWS\system32\svchost.exe (1072)
______ C:\WINDOWS\system32\svchost.exe (1164)
______ C:\Program Files\Windows Defender\MsMpEng.exe (1260)
______ C:\WINDOWS\System32\svchost.exe (1300)
______ C:\WINDOWS\system32\svchost.exe (1392)
______ C:\WINDOWS\system32\svchost.exe (1516)
______ C:\WINDOWS\system32\spoolsv.exe (1620)
______ C:\WINDOWS\system32\Ati2evxx.exe (1676)
______ C:\WINDOWS\Explorer.EXE (256)
______ C:\WINDOWS\AGRSMMSG.exe (472)
______ C:\WINDOWS\ehome\ehtray.exe (480)
______ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (496)
______ C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe (528)
______ C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (548)
______ C:\WINDOWS\system32\LVCOMSX.EXE (1220)
______ C:\Program Files\Logitech\Video\LogiTray.exe (1252)
______ C:\Program Files\QuickTime\QTTask.exe (1324)
______ C:\Program Files\iTunes\iTunesHelper.exe (1356)
______ C:\Program Files\Java\jre6\bin\jusched.exe (1368)
______ C:\WINDOWS\system32\ctfmon.exe (1432)
______ C:\Program Files\LClock\lclock.exe (1484)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (1528)
______ C:\Program Files\AIM6\aim6.exe (1672)
______ C:\Program Files\Logitech\Video\FxSvr2.exe (1688)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (1724)
______ C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (1948)
______ C:\Program Files\Messenger\msmsgs.exe (2012)
______ C:\Program Files\Rainlendar2\Rainlendar2.exe (2076)
______ C:\Program Files\Windows Media Player\WMPNSCFG.exe (2096)
______ C:\Program Files\SpywareGuard\sgmain.exe (2220)
______ C:\WINDOWS\system32\svchost.exe (2288)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (2420)
______ C:\Program Files\Bonjour\mDNSResponder.exe (2472)
______ C:\WINDOWS\eHome\ehRecvr.exe (2544)
______ C:\WINDOWS\eHome\ehSched.exe (2696)
______ C:\WINDOWS\System32\svchost.exe (2836)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe (2876)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2924)
______ C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (2992)
______ C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe (3156)
______ C:\Program Files\AIM6\aolsoftware.exe (3168)
______ C:\Program Files\SpywareGuard\sgbhp.exe (3224)
______ C:\Program Files\iDumpPro\NMSAccessU.exe (3240)
______ C:\WINDOWS\system32\PnkBstrA.exe (3312)
______ C:\WINDOWS\system32\PnkBstrB.exe (3476)
______ C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe (3520)
______ C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe (3552)
______ C:\WINDOWS\system32\svchost.exe (3632)
______ C:\WINDOWS\system32\svchost.exe (3704)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (3788)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe (3832)
______ C:\WINDOWS\ehome\mcrdsvc.exe (3964)
______ C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe (4048)
______ C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (4068)
______ C:\Program Files\iPod\bin\iPodService.exe (332)
______ C:\WINDOWS\system32\dllhost.exe (2524)
______ C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe (2640)
______ C:\WINDOWS\System32\alg.exe (3548)
______ C:\Documents and Settings\Frank\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (4156)
______ C:\Program Files\Mozilla Firefox\firefox.exe (4192)
______ C:\WINDOWS\eHome\ehmsas.exe (4208)
______ C:\Program Files\Java\jre6\bin\jucheck.exe (5220)
______ C:\Documents and Settings\Frank\Desktop\Rooter.exe (6112)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:7517873664)
\Device\Harddisk0\Partition2 --[ MBR ]-- (Start_Offset:7517905920 | Length:312552414720)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1122231463-3557555321-1581213266-1005Core.job
C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1122231463-3557555321-1581213266-1005UA.job
C:\WINDOWS\Tasks\MP Scheduled Scan.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
Rootkit! ... [HKLM\SYSTEM\ControlSet005\Enum\Root\LEGACY_TDSSSERV.SYS]
.
----------------------\\ Files & Folders
.
C:\DOCUME~1\Frank\My Documents\Azureus Downloads\Call of Duty 2\keygen.exe
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 22:13.17
.
C:\Rooter$\Rooter_1.txt - (10/11/2009 | 22:13.17).c
LockSearch
LockSearch by jpshortstuff (05.11.09.1)
Log created at 22:14 on 10/11/2009 (Frank)
Scanning C:\
C:\hiberfil.sys
-------------------------
C:\pagefile.sys
-------------------------
C:\WINDOWS\system32\drivers\sptd.sys
-------------------------
C:\WINDOWS\system32\drivers\sptd.sys [Unable to get md5 : 717296 bytes]
-=E.O.F=-
post the ckscanner log, you can leave OTL and RootRepeal
Please download OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
Please download OTM
- Save it to your desktop.
- Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):CODE:Processes
:Services
:Reg
:Files
C:\DOCUME~1\Frank\My Documents\Azureus Downloads\Call of Duty 2\keygen.exe
:Commands
[purity]
[emptytemp]
[Reboot] - Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
ckscanner
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\activision\rome - total war
----- EOF -----
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\DOCUME~1\Frank\My Documents\Azureus Downloads\Call of Duty 2\keygen.exe moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Frank
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 85770 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 17748072 bytes
->Google Chrome cache emptied: 8291855 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 24.95 mb
OTM by OldTimer - Version 3.1.1.0 log created on 11112009_183735
Files moved on Reboot...
Registry entries deleted on Reboot...
Combo
ComboFix 09-11-11.02 - Frank 1 / 2009 Wed 18:14.10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1022.292
[GMT -5:00]
Executive Location: c: \ documents and settings \ Frank \ Desktop \ ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Deleted files
)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
The results of earlier runs ---- -------
.
c: \ windows \ kb913800.exe
- The results of earlier runs --
Can not find "c: \ windows \ system32 \ grpconv.exe"
From - c: \ windows \ ServicePackFiles \ i386 \ grpconv.exe to restore the original file
Can not find "c: \ windows \ system32 \ proquota.exe"
From - c: \ windows \ ServicePackFiles \ i386 \ proquota.exe to restore the original file
--------
.
((((((((((((((((((((((((((((((((((((((( Drivers / Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_OREANS32
------- \ Service_oreans32
------- \ Legacy_OREANS32
((((((((((((((((((((((((( 2009-10-11 new files to 2009-11-11
)))))))))))))))))))))))))))))))
.
2009-11-11 22:49. 2008-04-14 00:12 50176-c - aw -
c: \ windows \ system32 \ dllcache \ proquota.exe
2009-11-11 22:49. 2008-04-14 00:12 50176 ---- aw -
c: \ windows \ system32 \ proquota.exe
2009-11-11 22:49. 2008-04-14 00:12 39424-c - aw -
c: \ windows \ system32 \ dllcache \ grpconv.exe
2009-11-11 22:49. 2008-04-14 00:12 39424 ---- aw -
c: \ windows \ system32 \ grpconv.exe
2009-11-11 22:26. 2009-11-11 22:26 -------- d ----- w -
C: \ _OTM
2009-10-15 00:50. 2009-10-15 00:50 97216 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ ie_bin \ MovePlayerUpgrade.exe
.
(((((((((((((((((((((((((((((((((((((((( Within three months of the file has been modified
)))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-11 23:12. 2009-02-18 22:05 -------- d ----- w -
c: \ program files \ SpywareGuard
2009-11-11 23:06. 2005-08-19 18:24 -------- d - h - w -
c: \ program files \ InstallShield Installation Information
2009-11-11 13:01. 2008-08-10 19:23 -------- d ----- w -
c: \ documents and settings \ All Users \ Application Data \ Microsoft Help
2009-11-11 03:26. 2008-07-22 20:51 -------- d --- aw -
c: \ documents and settings \ All Users \ Application Data \ TEMP
2009-11-11 03:26. 2008-12-07 17:49 -------- d ----- w -
c: \ program files \ SpywareBlaster
2009-11-10 23:51. 2008-07-21 14:50 215104 ---- aw -
c: \ windows \ system32 \ PnkBstrB.exe
2009-11-10 23:17. 2008-07-21 14:50 138576 ---- aw -
c: \ windows \ system32 \ drivers \ PnkBstrK.sys
2009-11-08 00:20. 2008-07-26 02:32 -------- d ----- w -
c: \ documents and settings \ Frank \ Application Data \ LimeWire
2009-11-06 00:31. 2009-09-11 00:26 143976 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ uninstall.exe
2009-11-06 00:31. 2009-03-15 18:28 -------- d ----- w -
c: \ documents and settings \ Frank \ Application Data \ Move Networks
2009-11-06 00:31. 2009-10-15 00:50 5642688 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071701000002.dll
2009-11-06 00:31. 2009-11-06 00:31 1794456 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ MoveMediaPlayerWin_071701000002.exe
2009-11-03 01:42. 2009-10-03 03:59 195456 ------ w -
c: \ windows \ system32 \ MpSigStub.exe
2009-11-02 02:52. 2008-07-22 21:21 -------- d ----- w -
c: \ program files \ SUPERAntiSpyware
2009-11-02 02:27. 2008-07-19 17:42 -------- d ----- w -
c: \ documents and settings \ Frank \ Application Data \ Azureus
2009-11-02 01:59. 2009-11-02 01:59 10628032 ---- aw -
c: \ documents and settings \ Frank \ Application
Data \ Azureus \ tmp \ AZU505883182199024532.tmp \ Vuze_4.2.0.8b_win32.exe
2009-10-30 02:40. 2009-09-09 00:58 -------- d ----- w -
c: \ program files \ Common Files \ Adobe
2009-10-29 02:46. 2005-08-19 22:19 84640 ---- aw -
c: \ documents and settings \ Administrator \ Local Settings \ Application
Data \ GDIPFONTCACHEV1.DAT
2009-10-22 22:03. 2008-07-19 16:19 -------- d ----- w -
c: \ program files \ Microsoft Works
2009-10-11 02:28. 2009-10-11 02:28 -------- d ----- w -
c: \ program files \ Rainlendar2
2009-10-10 04:29. 2009-10-10 04:26 103535 ---- aw -
c: \ windows \ hpoins04.dat
2009-10-10 04:29. 2009-10-10 04:29 -------- d ----- w -
c: \ program files \ Common Files \ Hewlett-Packard
2009-10-10 04:26. 2009-10-10 04:26 -------- d ----- w -
c: \ program files \ HP
2009-10-10 04:16. 2009-10-10 04:15 -------- d ----- w -
c: \ program files \ TI Education
2009-10-10 04:15. 2009-10-10 04:15 -------- d ----- w -
c: \ program files \ Common Files \ TI Shared
2009-10-10 04:14. 2008-07-22 21:20 -------- d ----- w -
c: \ program files \ Common Files \ Wise Installation Wizard
2009-10-04 03:15. 2009-10-04 03:15 -------- d ----- w -
c: \ program files \ Unlimited
2009-09-27 15:50. 2008-08-12 00:38 -------- d ----- w -
c: \ program files \ Malwarebytes' Anti-Malware
2009-09-27 15:50. 2008-10-09 00:02 4045528 ---- aw -
c: \ documents and settings \ All Users \ Application
Data \ Malwarebytes \ Malwarebytes' Anti-Malware \ mbam-setup.exe
2009-09-11 14:18. 2005-08-18 20:20 136192 ---- aw -
c: \ windows \ system32 \ msv1_0.dll
2009-09-11 00:26. 2009-06-16 06:35 4183416 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071503000010.dll
2009-09-10 18:54. 2008-08-12 00:38 38224 ---- aw -
c: \ windows \ system32 \ drivers \ mbamswissarmy.sys
2009-09-10 18:53. 2008-08-12 00:38 19160 ---- aw -
c: \ windows \ system32 \ drivers \ mbam.sys
2009-09-09 00:57. 2009-09-09 00:57 411368 ---- aw -
c: \ windows \ system32 \ deploytk.dll
2009-09-08 23:44. 2009-03-23 23:40 117760 ---- aw -
c: \ documents and settings \ Frank \ Application
Data \ SUPERAntiSpyware.com \ SUPERAntiSpyware \ SDDLLS \ UIREPAIR.DLL
2009-09-07 03:11. 2009-09-07 03:11 64 ---- a-w -
c: \ documents and settings \ Frank \ Application
Data \ Mozilla \ Firefox \ Profiles \ nzbn6t60.default \ extensions \ dvscontextmenuy
@ dvdvideosoft.com
2009-09-04 21:03. 2005-08-18 20:20 58880 ---- aw -
c: \ windows \ system32 \ msasn1.dll
2009-08-30 14:22. 2009-03-02 20:56 21840 ---- atw -
c: \ windows \ system32 \ SIntfNT.dll
2009-08-30 14:22. 2009-03-02 20:56 17212 ---- atw -
c: \ windows \ system32 \ SIntf32.dll
2009-08-30 14:22. 2009-03-02 20:56 12067 ---- atw -
c: \ windows \ system32 \ SIntf16.dll
2009-08-29 08:08. 2005-08-18 20:20 916480 ------ w -
c: \ windows \ system32 \ wininet.dll
2009-08-27 02:41. 2009-08-27 02:41 49920 ---- aw -
c: \ windows \ system32 \ drivers \ HPZid412.sys
2009-08-26 08:00. 2005-08-18 20:21 247326 ---- aw -
c: \ windows \ system32 \ strmdll.dll
2009-08-18 03:33. 2009-08-18 03:33 1193832 ---- aw -
c: \ windows \ system32 \ FM20.DLL
2009-08-14 13:21. 2005-08-18 20:20 1850624 ---- aw -
c: \ windows \ system32 \ win32k.sys
2009-05-01 21:02. 2009-05-01 21:02 1044480 ---- aw -
c: \ program files \ mozilla firefox \ plugins \ libdivx.dll
2009-05-01 21:02. 2009-05-01 21:02 200704 ---- aw -
c: \ program files \ mozilla firefox \ plugins \ ssldivx.dll
.
------- Sigcheck -------
[-] 2008-04-14. 561A50497324F378E30F55D09B4E1258. 975872..
[6.00.2900.5512].. C: \ windows \ explorer.exe
[-] 2008-04-14. 561A50497324F378E30F55D09B4E1258. 975872..
[6.00.2900.5512].. C: \ windows \ ServicePackFiles \ i386 \ explorer.exe
[-] 2004-08-10. A5C1F2CF7C31874E66478910B43D6513. 974336..
[6.00.2900.2180].. C: \ windows \ $ NtServicePackUninstall $ \ explorer.exe
c: \ windows \ system32 \ drivers \ beep.sys ... Lost!!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-11_22.53.04
)))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 23:24. 2009-11-11 23:24 16384
c: \ windows \ Temp \ Perflib_Perfdata_e0.dat
+ 2009-11-11 23:24. 2009-11-11 23:24 16384
c: \ windows \ Temp \ Perflib_Perfdata_2d8.dat
.
((((((((((((((((((((((((((((((((((((( Important entry point
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty and legitimate the default login will not be displayed
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"LClock" = "c: \ program files \ LClock \ lclock.exe" [2004-09-19 65536]
"MsnMsgr" = "c: \ program files \ Windows Live \ Messenger \ msnmsgr.exe" [2007-10 --
185,724,184]
"Aim6" = "c: \ program files \ AIM6 \ aim6.exe" [2009-05-19 49968]
"SUPERAntiSpyware" = "c: \ program
files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe "[2009-11-02 2000112]
"Google Update" = "c: \ documents and settings \ Frank \ Local
Settings \ Application Data \ Google \ Update \ GoogleUpdate.exe "[2008-11-01
133,104]
"LDM" = "c: \ program files \ Logitech \ Desktop
Messenger \ 8876480 \ Program \ BackWeb-8876480.exe "[2009-02-01 16384]
"MSMSGS" = "c: \ program files \ Messenger \ msmsgs.exe" [2008-04-14 1695232]
"Rainlendar2" = "c: \ program files \ Rainlendar2 \ Rainlendar2.exe" [2009-08-22
5148672]
"WMPNSCFG" = "c: \ program files \ Windows Media Player \ WMPNSCFG.exe" [2006-10 --
19,204,288]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"ehTray" = "c: \ windows \ ehome \ ehtray.exe" [2005-08-05 64512]
"ATIPTA" = "c: \ program files \ ATI Technologies \ ATI Control
Panel \ atiptaxx.exe "[2005-03-23 339968]
"VAIO Recovery" = "c: \ windows \ Sonysys \ VAIO Recovery \ PartSeal.exe" [2003-04 --
2028672]
"IAAnotif" = "c: \ program files \ Intel \ Intel Matrix Storage
Manager \ iaanotif.exe "[2005-06-17 139264]
"VAIO Update 2" = "c: \ program files \ Sony \ VAIO Update 2 \ VAIOUpdt.exe" [2005 --
01-14151552]
"ISUSPM Startup" = "c: \ progra ~ 1 \ COMMON ~ 1 \ INSTAL ~ 1 \ UPDATE ~ 1 \ isuspm.exe"
[2004-08-09 221,184]
"ISUSScheduler" = "c: \ program files \ Common
Files \ InstallShield \ UpdateService \ issch.exe "[2004-08-09 81920]
"igfxtray" = "c: \ windows \ system32 \ igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd" = "c: \ windows \ system32 \ hkcmd.exe" [2005-07-19 77824]
"igfxpers" = "c: \ windows \ system32 \ igfxpers.exe" [2005-07-19 114688]
"IMJPMIG8.1" = "c: \ windows \ IME \ imjp8_1 \ IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1" = "c: \ windows \ ime \ imkr6_1 \ IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002" = "c: \ windows \ system32 \ IME \ PINTLGNT \ ImScInst.exe" [2004-08-10
59392]
"PHIME2002ASync" = "c: \ windows \ system32 \ IME \ TINTLGNT \ TINTSETP.EXE" [2004 --
08-10455168]
"PHIME2002A" = "c: \ windows \ system32 \ IME \ TINTLGNT \ TINTSETP.EXE" [2004-08-10
455,168]
"PartSeal" = "c: \ windows \ Sonysys \ VAIO Recovery \ PartSeal.exe" [2003-04-20
28672]
"AppleSyncNotifier" = "c: \ program files \ Common Files \ Apple \ Mobile Device
Support \ bin \ AppleSyncNotifier.exe "[2009-05-14 177472]
"LVCOMSX" = "c: \ windows \ system32 \ LVCOMSX.EXE" [2004-02-25 221184]
"LogitechVideoRepair" = "c: \ program files \ Logitech \ Video \ ISStart.exe"
[2004-02-25 454,656]
"LogitechVideoTray" = "c: \ program files \ Logitech \ Video \ LogiTray.exe" [2004 --
02-25212992]
"QuickTime Task" = "c: \ program files \ QuickTime \ QTTask.exe" [2009-05-26
413,696]
"iTunesHelper" = "c: \ program files \ iTunes \ iTunesHelper.exe" [2009-07-13
292,128]
"SunJavaUpdateSched" = "c: \ program files \ Java \ jre6 \ bin \ jusched.exe" [2009 --
09-09149280]
"Adobe Reader Speed Launcher" = "c: \ program files \ Adobe \ Reader
9.0 \ Reader \ Reader_sl.exe "[2009-10-03 35696]
"Adobe ARM" = "c: \ program files \ Common Files \ Adobe \ ARM \ 1.0 \ AdobeARM.exe"
[2009-09-04 935,288]
"AGRSMMSG" = "AGRSMMSG.exe" - c: \ windows \ AGRSMMSG.exe [2004-10-08 88363]
c: \ documents and settings \ Frank \ Start Menu \ Programs \ Startup \
SpywareGuard.lnk - c: \ program files \ SpywareGuard \ sgmain.exe [2003-8-29
360,448]
c: \ documents and settings \ All Users \ Start Menu \ Programs \ Startup \
Logitech Desktop Messenger.lnk - c: \ program files \ Logitech \ Desktop
Messenger \ 8876480 \ Program \ LDMConf.exe [2009-1-31 169472]
[HKEY_USERS \. Default \ software \ microsoft \ windows \ currentversion \ policies \ e
xplorer]
"NoSetActiveDesktop" = 1 (0x1)
"NoActiveDesktopChanges" = 1 (0x1)
[hkey_local_machine \ software \ microsoft \ windows \ currentversion \ explorer \ Sh
ellExecuteHooks]
"(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "c: \ program
files \ SUPERAntiSpyware \ SASSEH.DLL "[2008-05-13 77824]
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows
nt \ currentversion \ winlogon \ notify \! SASWinLogon]
2009-09-08 23:42 548352 ---- a-w-c: \ program
files \ SUPERAntiSpyware \ SASWINLO.DLL
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Win
Defend]
@ = "Service"
[HKEY_LOCAL_MACHINE \ software \ microsoft \ security center]
"AntiVirusOverride" = dword: 00000001
[HKLM \ ~ \ services \ sharedaccess \ parameters \ firewallpolicy \ standardprofile \ A
uthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"c: \ \ Program Files \ \ DNA \ \ btdna.exe" =
"c: \ \ Program Files \ \ Common Files \ \ AOL \ \ Loader \ \ aolload.exe" =
"c: \ \ Program Files \ \ AIM6 \ \ aim6.exe" =
"c: \ \ WINDOWS \ \ system32 \ \ PnkBstrA.exe" =
"c: \ \ WINDOWS \ \ system32 \ \ PnkBstrB.exe" =
"c: \ \ Program Files \ \ Messenger \ \ msmsgs.exe" =
"c: \ \ Program Files \ \ Activision \ \ Call of Duty 4 - Modern
Warfare \ \ iw3mp.exe "=
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ OUTLOOK.EXE" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"c: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ msnmsgr.exe" =
"c: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ livecall.exe" =
"c: \ \ Program Files \ \ Vuze \ \ Azureus.exe" =
"c: \ \ Program Files \ \ BitPim \ \ bitpimw.exe" =
"c: \ \ Sierra \ \ Empire Earth \ \ Empire Earth.exe" =
"c: \ \ Program Files \ \ Activision \ \ Call of Duty 2 \ \ CoD2MP_s.exe" =
"c: \ \ Program Files \ \ Mozilla Firefox \ \ firefox.exe" =
"c: \ \ Program Files \ \ Logitech \ \ Desktop
Messenger \ \ 8876480 \ \ Program \ \ backWeb-8876480.exe "=
"c: \ \ Program Files \ \ iPod \ \ bin \ \ iPodService.exe" =
"c: \ \ Program Files \ \ LimeWire \ \ LimeWire.exe" =
"% windir% \ \ system32 \ \ drivers \ \ svchost.exe" =
"c: \ \ Program Files \ \ Pando Networks \ \ Media Booster \ \ PMB.exe" =
"c: \ \ Documents and Settings \ \ All Users \ \ Application
Data \ \ NexonUS \ \ NGM \ \ NGM.exe "=
"c: \ \ Program Files \ \ Bonjour \ \ mDNSResponder.exe" =
"c: \ \ Program Files \ \ iTunes \ \ iTunes.exe" =
[HKLM \ ~ \ services \ sharedaccess \ parameters \ firewallpolicy \ standardprofile \ G
loballyOpenPorts \ List]
"57498: TCP" = 57498: TCP: Pando Media Booster
"57498: UDP" = 57498: UDP: Pando Media Booster
R1 SASDIFSV; SASDIFSV; c: \ program files \ SUPERAntiSpyware \ SASDIFSV.SYS
[5/28/2008 12:33 PM 9968]
R1 SASKUTIL; SASKUTIL; c: \ program files \ SUPERAntiSpyware \ SASKUTIL.SYS
[5/28/2008 12:33 PM 74480]
R2 McAfee SiteAdvisor Service; McAfee SiteAdvisor Service; c: \ program
files \ McAfee \ SiteAdvisor \ McSACore.exe [5/10/2009 10:57 AM 210216]
R2 MSSQL $ VAIO_VEDB; MSSQL $ VAIO_VEDB; c: \ program files \ Microsoft SQL
Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlservr.exe-sVAIO_VEDB -> c: \ program
files \ Microsoft SQL Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlservr.exe-sVAIO_VEDB
[?]
R2 WinDefend; Windows Defender; c: \ program files \ Windows
Defender \ MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 SASENUM; SASENUM; c: \ program files \ SUPERAntiSpyware \ SASENUM.SYS
[5/28/2008 12:33 PM 7408]
S2 0267091241971032mcinstcleanup; McAfee Application Installer Cleanup
(0267091241971032); c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 026709 ~ 1.EXE
c: \ progra ~ 1 \ COMMON ~ 1 \ McAfee \ INSTAL ~ 1 \ cleanup.ini-cleanup-nolog-service
-> C: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 026709 ~ 1.EXE
c: \ progra ~ 1 \ COMMON ~ 1 \ McAfee \ INSTAL ~ 1 \ cleanup.ini-cleanup-nolog-service
[?]
S3 ByakkoDriver; ByakkoDriver; \??
\ c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 832187.10-04-2009 ->
c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 832187.10-04-2009 [?]
S3 cimo; cimo; c: \ windows \ system32 \ cimo.sys [6/20/2009 9:32 PM 51200]
S3 NTPASp50; NTPASp50 NDIS Protocol
Driver; c: \ windows \ system32 \ drivers \ NtpaSp50.sys [7/19/2008 11:51 AM
17536]
S3 SQLAgent $ VAIO_VEDB; SQLAgent $ VAIO_VEDB; c: \ program files \ Microsoft SQL
Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlagent.EXE-i VAIO_VEDB -> c: \ program
files \ Microsoft SQL Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlagent.EXE-i VAIO_VEDB
[?]
S3 SWLD23U; Netopia 802.11b WLAN USB
Adapter; c: \ windows \ system32 \ drivers \ swld23u.sys [7/19/2008 11:43 AM
82888]
S3 swlubtl; WLAN USB Boot Device; c: \ windows \ system32 \ drivers \ swlubtl.sys
[7/19/2008 11:42 AM 53690]
S3 XDva189; XDva189; [x]
S3 XDva201; XDva201; \?? \ C: \ windows \ system32 \ XDva201.sys ->
c: \ windows \ system32 \ XDva201.sys [?]
S3 XDva212; XDva212; \?? \ C: \ windows \ system32 \ XDva212.sys ->
c: \ windows \ system32 \ XDva212.sys [?]
S3 XDva219; XDva219; \?? \ C: \ windows \ system32 \ XDva219.sys ->
c: \ windows \ system32 \ XDva219.sys [?]
S3 XDva279; XDva279; \?? \ C: \ windows \ system32 \ XDva279.sys ->
c: \ windows \ system32 \ XDva279.sys [?]
--- Other Services / Drivers In Memory ---
* Deregistered * - mbr
.
'Scheduled Tasks' folder contents
2009-09-25 c: \ windows \ Tasks \ AppleSoftwareUpdate.job
- C: \ program files \ Apple Software Update \ SoftwareUpdate.exe [2008-07-30
16:34]
2009-11-11 c: \ windows \ Tasks \ GoogleUpdateTaskUserS-1-5-21-1122231463 -
3557555321-1581213266-1005Core.job
- C: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Google \ Update \ GoogleUpdate.exe [2008-11-01 02:02]
2009-11-11 c: \ windows \ Tasks \ GoogleUpdateTaskUserS-1-5-21-1122231463 -
3557555321-1581213266-1005UA.job
- C: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Google \ Update \ GoogleUpdate.exe [2008-11-01 02:02]
2009-11-11 c: \ windows \ Tasks \ MP Scheduled Scan.job
- C: \ program files \ Windows Defender \ MpCmdRun.exe [2006-11-03 23:20]
.
.
------- ------- Suits the scan
.
uSearchMigratedDefaultURL = hxxp: / / www.google.com / search?
q = (searchTerms) & sourceid = ie7 & rls = com.microsoft: en-US & ie = utf8 & oe = utf8
mStart Page = hxxp: / / www.google.com
uInternet Settings, ProxyOverride = localhost; *. local
uSearchURL, (Default) = hxxp: / / www.google.com/keyword/% s
IE: E & xport to Microsoft Excel --
c: \ progra ~ 1 \ MICROS ~ 4 \ Office12 \ EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c: \ program files \ Common
Files \ DVDVideoSoft \ Dll \ IEContextMenuY.dll/scriptY2MP3.htm
IE: Transfer by Image Converter 2 - c: \ program files \ Sony \ Image Converter
2 \ menu.htm
Trusted Zone: download.com
FF - ProfilePath - c: \ documents and settings \ Frank \ Application
Data \ Mozilla \ Firefox \ Profiles \ nzbn6t60.default \
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: network.proxy.type - 4
FF - component: c: \ program files \ Common
Files \ DVDVideoSoft \ Dll \ FFContextMenuY \ components \ FFContextMenu.dll
FF - component: c: \ program
files \ McAfee \ SiteAdvisor \ components \ McFFPlg.dll
FF - plugin: c: \ documents and settings \ All Users \ Application
Data \ NexonUS \ NGM \ npNxGameUS.dll
FF - plugin: c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071503000010.dll
FF - plugin: c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071701000002.dll
FF - plugin: c: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Google \ Update \ 1.2.183.13 \ npGoogleOneClick8.dll
FF - plugin: c: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Yahoo! \ BrowserPlus \ 2.4.17 \ Plugins \ npybrowserplus_2.4.17.dll
FF - plugin: c: \ program files \ Mozilla Firefox \ plugins \ np-mswmp.dll
FF - plugin: c: \ program files \ Mozilla Firefox \ plugins \ npPandoWebInst.dll
FF - plugin: c: \ program files \ Mozilla Firefox \ plugins \ npViewpoint.dll
FF - plugin: c: \ program files \ Viewpoint \ Viewpoint Media
Player \ npViewpoint.dll
FF - HiddenExtension: Microsoft. NET Framework Assistant: (20a82645-c095 -
46ed-80e3-08825760534b) - c: \ windows \ Microsoft.NET \ Framework \ v3.5 \ Windows
Presentation Foundation \ DotNetAssistantExtension \
.
************************************************** ***********************
*
catchme 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-11-11 18:26
Windows 5.1.2600 Service Pack 3 NTFS
Scanning hidden processes. . .
Scanning hidden startup group. . .
Scanning hidden files. . .
The scan is complete
Are hidden files: 0
************************************************** ***********************
*
Stealth MBR rootkit / Mebroot / Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spcs.sys
hal.dll>> UNKNOWN [0x873C4938] <<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit / Mebroot / Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
iaStor.sys @ 0x0 0x0 bytes
\ Driver \ iaStor [IRP_MJ_CREATE] 0xF142! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_CLOSE] 0xF142! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_DEVICE_CONTROL] 0x1284E! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_INTERNAL_DEVICE_CONTROL] 0x12B10! = 0xF71D0020
iaStor.sys
\ Driver \ iaStor [IRP_MJ_POWER] 0x17968! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_SYSTEM_CONTROL] 0x179F4! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor IRP hooks detected!
************************************************** ***********************
*
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ ByakkoDriver]
"ImagePath" = "\?? \ C: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 832187.10-04-2009"
.
--------------------- Running process with dynamic link library ---------------------
- - - - - - -> 'Winlogon.exe' (844)
c: \ program files \ SUPERAntiSpyware \ SASWINLO.DLL
c: \ windows \ system32 \ WININET.dll
c: \ windows \ system32 \ Ati2evxx.dll
- - - - - - -> 'Explorer.exe' (3848)
c: \ windows \ system32 \ WININET.dll
c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ TempIadHide3.dll
c: \ program files \ McAfee \ SiteAdvisor \ saHook.dll
c: \ progra ~ 1 \ WINDOW ~ 3 \ wmpband.dll
c: \ windows \ system32 \ ntshrui.dll
c: \ windows \ system32 \ msi.dll
c: \ windows \ system32 \ ieframe.dll
c: \ windows \ system32 \ NETSHELL.dll
c: \ windows \ system32 \ credui.dll
c: \ program files \ LClock \ LC.dll
c: \ windows \ system32 \ webcheck.dll
c: \ windows \ system32 \ WPDShServiceObj.dll
c: \ windows \ system32 \ PortableDeviceTypes.dll
c: \ windows \ system32 \ PortableDeviceApi.dll
.
------------------------ Other Running processes ----------------------- --
.
c: \ windows \ system32 \ Ati2evxx.exe
c: \ windows \ system32 \ Ati2evxx.exe
c: \ program files \ Common Files \ Apple \ Mobile Device
Support \ bin \ AppleMobileDeviceService.exe
c: \ program files \ Bonjour \ mDNSResponder.exe
c: \ windows \ eHome \ ehRecvr.exe
c: \ windows \ eHome \ ehSched.exe
c: \ program files \ Intel \ Intel Matrix Storage Manager \ iaantmon.exe
c: \ program files \ Java \ jre6 \ bin \ jqs.exe
c: \ program files \ Microsoft SQL Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlservr.exe
c: \ program files \ iDumpPro \ NMSAccessU.exe
c: \ windows \ system32 \ PnkBstrA.exe
c: \ windows \ system32 \ PnkBstrB.exe
c: \ program files \ Common Files \ Sony
Shared \ WMPlugIn \ SonicStageMonitoring.exe
c: \ program files \ Sony \ Sony TV Tuner Library \ SMceMan.exe
c: \ program files \ Common Files \ Sony Shared \ VAIO Entertainment
Platform \ VCSW \ VCSW.exe
c: \ program files \ Common Files \ Sony Shared \ VAIO Entertainment
Platform \ VzCdb \ VzCdbSvc.exe
c: \ windows \ ehome \ mcrdsvc.exe
c: \ program files \ Common Files \ Sony Shared \ VAIO Entertainment
Platform \ VzCdb \ VzFw.exe
c: \ program files \ Logitech \ Video \ FxSvr2.exe
c: \ program files \ AIM6 \ aolsoftware.exe
c: \ program files \ Sony \ Sony TV Tuner Library \ RM_SV.exe
c: \ windows \ system32 \ dllhost.exe
c: \ program files \ iPod \ bin \ iPodService.exe
c: \ windows \ eHome \ ehmsas.exe
c: \ program files \ Java \ jre6 \ bin \ jucheck.exe
.
************************************************** ***********************
*
.
Completion Time: 2009-11-11 18:30 - the computer has been restarted
ComboFix-quarantined-files.txt 2009-11-11 23:30
Pre-Run: 132,151,308,288 bytes free
Post-Run: 132,101,308,416 bytes free
Current = 1 Default = 1 Failed = 5 LastKnownGood = 6 Sets = 1,2,3,4,5,6
- - End Of File - - 5B94D3E08615703C0830F6FACCD9D71C
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\activision\rome - total war
----- EOF -----
All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\DOCUME~1\Frank\My Documents\Azureus Downloads\Call of Duty 2\keygen.exe moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Frank
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 85770 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 17748072 bytes
->Google Chrome cache emptied: 8291855 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 24.95 mb
OTM by OldTimer - Version 3.1.1.0 log created on 11112009_183735
Files moved on Reboot...
Registry entries deleted on Reboot...
Combo
ComboFix 09-11-11.02 - Frank 1 / 2009 Wed 18:14.10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.936.86.1033.18.1022.292
[GMT -5:00]
Executive Location: c: \ documents and settings \ Frank \ Desktop \ ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Deleted files
)))))))))))))))))))))))))))))))))))))))))))))))))
.
.
The results of earlier runs ---- -------
.
c: \ windows \ kb913800.exe
- The results of earlier runs --
Can not find "c: \ windows \ system32 \ grpconv.exe"
From - c: \ windows \ ServicePackFiles \ i386 \ grpconv.exe to restore the original file
Can not find "c: \ windows \ system32 \ proquota.exe"
From - c: \ windows \ ServicePackFiles \ i386 \ proquota.exe to restore the original file
--------
.
((((((((((((((((((((((((((((((((((((((( Drivers / Services
)))))))))))))))))))))))))))))))))))))))))))))))))
.
------- \ Legacy_OREANS32
------- \ Service_oreans32
------- \ Legacy_OREANS32
((((((((((((((((((((((((( 2009-10-11 new files to 2009-11-11
)))))))))))))))))))))))))))))))
.
2009-11-11 22:49. 2008-04-14 00:12 50176-c - aw -
c: \ windows \ system32 \ dllcache \ proquota.exe
2009-11-11 22:49. 2008-04-14 00:12 50176 ---- aw -
c: \ windows \ system32 \ proquota.exe
2009-11-11 22:49. 2008-04-14 00:12 39424-c - aw -
c: \ windows \ system32 \ dllcache \ grpconv.exe
2009-11-11 22:49. 2008-04-14 00:12 39424 ---- aw -
c: \ windows \ system32 \ grpconv.exe
2009-11-11 22:26. 2009-11-11 22:26 -------- d ----- w -
C: \ _OTM
2009-10-15 00:50. 2009-10-15 00:50 97216 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ ie_bin \ MovePlayerUpgrade.exe
.
(((((((((((((((((((((((((((((((((((((((( Within three months of the file has been modified
)))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-11-11 23:12. 2009-02-18 22:05 -------- d ----- w -
c: \ program files \ SpywareGuard
2009-11-11 23:06. 2005-08-19 18:24 -------- d - h - w -
c: \ program files \ InstallShield Installation Information
2009-11-11 13:01. 2008-08-10 19:23 -------- d ----- w -
c: \ documents and settings \ All Users \ Application Data \ Microsoft Help
2009-11-11 03:26. 2008-07-22 20:51 -------- d --- aw -
c: \ documents and settings \ All Users \ Application Data \ TEMP
2009-11-11 03:26. 2008-12-07 17:49 -------- d ----- w -
c: \ program files \ SpywareBlaster
2009-11-10 23:51. 2008-07-21 14:50 215104 ---- aw -
c: \ windows \ system32 \ PnkBstrB.exe
2009-11-10 23:17. 2008-07-21 14:50 138576 ---- aw -
c: \ windows \ system32 \ drivers \ PnkBstrK.sys
2009-11-08 00:20. 2008-07-26 02:32 -------- d ----- w -
c: \ documents and settings \ Frank \ Application Data \ LimeWire
2009-11-06 00:31. 2009-09-11 00:26 143976 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ uninstall.exe
2009-11-06 00:31. 2009-03-15 18:28 -------- d ----- w -
c: \ documents and settings \ Frank \ Application Data \ Move Networks
2009-11-06 00:31. 2009-10-15 00:50 5642688 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071701000002.dll
2009-11-06 00:31. 2009-11-06 00:31 1794456 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ MoveMediaPlayerWin_071701000002.exe
2009-11-03 01:42. 2009-10-03 03:59 195456 ------ w -
c: \ windows \ system32 \ MpSigStub.exe
2009-11-02 02:52. 2008-07-22 21:21 -------- d ----- w -
c: \ program files \ SUPERAntiSpyware
2009-11-02 02:27. 2008-07-19 17:42 -------- d ----- w -
c: \ documents and settings \ Frank \ Application Data \ Azureus
2009-11-02 01:59. 2009-11-02 01:59 10628032 ---- aw -
c: \ documents and settings \ Frank \ Application
Data \ Azureus \ tmp \ AZU505883182199024532.tmp \ Vuze_4.2.0.8b_win32.exe
2009-10-30 02:40. 2009-09-09 00:58 -------- d ----- w -
c: \ program files \ Common Files \ Adobe
2009-10-29 02:46. 2005-08-19 22:19 84640 ---- aw -
c: \ documents and settings \ Administrator \ Local Settings \ Application
Data \ GDIPFONTCACHEV1.DAT
2009-10-22 22:03. 2008-07-19 16:19 -------- d ----- w -
c: \ program files \ Microsoft Works
2009-10-11 02:28. 2009-10-11 02:28 -------- d ----- w -
c: \ program files \ Rainlendar2
2009-10-10 04:29. 2009-10-10 04:26 103535 ---- aw -
c: \ windows \ hpoins04.dat
2009-10-10 04:29. 2009-10-10 04:29 -------- d ----- w -
c: \ program files \ Common Files \ Hewlett-Packard
2009-10-10 04:26. 2009-10-10 04:26 -------- d ----- w -
c: \ program files \ HP
2009-10-10 04:16. 2009-10-10 04:15 -------- d ----- w -
c: \ program files \ TI Education
2009-10-10 04:15. 2009-10-10 04:15 -------- d ----- w -
c: \ program files \ Common Files \ TI Shared
2009-10-10 04:14. 2008-07-22 21:20 -------- d ----- w -
c: \ program files \ Common Files \ Wise Installation Wizard
2009-10-04 03:15. 2009-10-04 03:15 -------- d ----- w -
c: \ program files \ Unlimited
2009-09-27 15:50. 2008-08-12 00:38 -------- d ----- w -
c: \ program files \ Malwarebytes' Anti-Malware
2009-09-27 15:50. 2008-10-09 00:02 4045528 ---- aw -
c: \ documents and settings \ All Users \ Application
Data \ Malwarebytes \ Malwarebytes' Anti-Malware \ mbam-setup.exe
2009-09-11 14:18. 2005-08-18 20:20 136192 ---- aw -
c: \ windows \ system32 \ msv1_0.dll
2009-09-11 00:26. 2009-06-16 06:35 4183416 ---- aw -
c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071503000010.dll
2009-09-10 18:54. 2008-08-12 00:38 38224 ---- aw -
c: \ windows \ system32 \ drivers \ mbamswissarmy.sys
2009-09-10 18:53. 2008-08-12 00:38 19160 ---- aw -
c: \ windows \ system32 \ drivers \ mbam.sys
2009-09-09 00:57. 2009-09-09 00:57 411368 ---- aw -
c: \ windows \ system32 \ deploytk.dll
2009-09-08 23:44. 2009-03-23 23:40 117760 ---- aw -
c: \ documents and settings \ Frank \ Application
Data \ SUPERAntiSpyware.com \ SUPERAntiSpyware \ SDDLLS \ UIREPAIR.DLL
2009-09-07 03:11. 2009-09-07 03:11 64 ---- a-w -
c: \ documents and settings \ Frank \ Application
Data \ Mozilla \ Firefox \ Profiles \ nzbn6t60.default \ extensions \ dvscontextmenuy
@ dvdvideosoft.com
2009-09-04 21:03. 2005-08-18 20:20 58880 ---- aw -
c: \ windows \ system32 \ msasn1.dll
2009-08-30 14:22. 2009-03-02 20:56 21840 ---- atw -
c: \ windows \ system32 \ SIntfNT.dll
2009-08-30 14:22. 2009-03-02 20:56 17212 ---- atw -
c: \ windows \ system32 \ SIntf32.dll
2009-08-30 14:22. 2009-03-02 20:56 12067 ---- atw -
c: \ windows \ system32 \ SIntf16.dll
2009-08-29 08:08. 2005-08-18 20:20 916480 ------ w -
c: \ windows \ system32 \ wininet.dll
2009-08-27 02:41. 2009-08-27 02:41 49920 ---- aw -
c: \ windows \ system32 \ drivers \ HPZid412.sys
2009-08-26 08:00. 2005-08-18 20:21 247326 ---- aw -
c: \ windows \ system32 \ strmdll.dll
2009-08-18 03:33. 2009-08-18 03:33 1193832 ---- aw -
c: \ windows \ system32 \ FM20.DLL
2009-08-14 13:21. 2005-08-18 20:20 1850624 ---- aw -
c: \ windows \ system32 \ win32k.sys
2009-05-01 21:02. 2009-05-01 21:02 1044480 ---- aw -
c: \ program files \ mozilla firefox \ plugins \ libdivx.dll
2009-05-01 21:02. 2009-05-01 21:02 200704 ---- aw -
c: \ program files \ mozilla firefox \ plugins \ ssldivx.dll
.
------- Sigcheck -------
[-] 2008-04-14. 561A50497324F378E30F55D09B4E1258. 975872..
[6.00.2900.5512].. C: \ windows \ explorer.exe
[-] 2008-04-14. 561A50497324F378E30F55D09B4E1258. 975872..
[6.00.2900.5512].. C: \ windows \ ServicePackFiles \ i386 \ explorer.exe
[-] 2004-08-10. A5C1F2CF7C31874E66478910B43D6513. 974336..
[6.00.2900.2180].. C: \ windows \ $ NtServicePackUninstall $ \ explorer.exe
c: \ windows \ system32 \ drivers \ beep.sys ... Lost!!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-11_22.53.04
)))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-11 23:24. 2009-11-11 23:24 16384
c: \ windows \ Temp \ Perflib_Perfdata_e0.dat
+ 2009-11-11 23:24. 2009-11-11 23:24 16384
c: \ windows \ Temp \ Perflib_Perfdata_2d8.dat
.
((((((((((((((((((((((((((((((((((((( Important entry point
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
* Note * empty and legitimate the default login will not be displayed
REGEDIT4
[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"LClock" = "c: \ program files \ LClock \ lclock.exe" [2004-09-19 65536]
"MsnMsgr" = "c: \ program files \ Windows Live \ Messenger \ msnmsgr.exe" [2007-10 --
185,724,184]
"Aim6" = "c: \ program files \ AIM6 \ aim6.exe" [2009-05-19 49968]
"SUPERAntiSpyware" = "c: \ program
files \ SUPERAntiSpyware \ SUPERAntiSpyware.exe "[2009-11-02 2000112]
"Google Update" = "c: \ documents and settings \ Frank \ Local
Settings \ Application Data \ Google \ Update \ GoogleUpdate.exe "[2008-11-01
133,104]
"LDM" = "c: \ program files \ Logitech \ Desktop
Messenger \ 8876480 \ Program \ BackWeb-8876480.exe "[2009-02-01 16384]
"MSMSGS" = "c: \ program files \ Messenger \ msmsgs.exe" [2008-04-14 1695232]
"Rainlendar2" = "c: \ program files \ Rainlendar2 \ Rainlendar2.exe" [2009-08-22
5148672]
"WMPNSCFG" = "c: \ program files \ Windows Media Player \ WMPNSCFG.exe" [2006-10 --
19,204,288]
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run]
"ehTray" = "c: \ windows \ ehome \ ehtray.exe" [2005-08-05 64512]
"ATIPTA" = "c: \ program files \ ATI Technologies \ ATI Control
Panel \ atiptaxx.exe "[2005-03-23 339968]
"VAIO Recovery" = "c: \ windows \ Sonysys \ VAIO Recovery \ PartSeal.exe" [2003-04 --
2028672]
"IAAnotif" = "c: \ program files \ Intel \ Intel Matrix Storage
Manager \ iaanotif.exe "[2005-06-17 139264]
"VAIO Update 2" = "c: \ program files \ Sony \ VAIO Update 2 \ VAIOUpdt.exe" [2005 --
01-14151552]
"ISUSPM Startup" = "c: \ progra ~ 1 \ COMMON ~ 1 \ INSTAL ~ 1 \ UPDATE ~ 1 \ isuspm.exe"
[2004-08-09 221,184]
"ISUSScheduler" = "c: \ program files \ Common
Files \ InstallShield \ UpdateService \ issch.exe "[2004-08-09 81920]
"igfxtray" = "c: \ windows \ system32 \ igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd" = "c: \ windows \ system32 \ hkcmd.exe" [2005-07-19 77824]
"igfxpers" = "c: \ windows \ system32 \ igfxpers.exe" [2005-07-19 114688]
"IMJPMIG8.1" = "c: \ windows \ IME \ imjp8_1 \ IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1" = "c: \ windows \ ime \ imkr6_1 \ IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002" = "c: \ windows \ system32 \ IME \ PINTLGNT \ ImScInst.exe" [2004-08-10
59392]
"PHIME2002ASync" = "c: \ windows \ system32 \ IME \ TINTLGNT \ TINTSETP.EXE" [2004 --
08-10455168]
"PHIME2002A" = "c: \ windows \ system32 \ IME \ TINTLGNT \ TINTSETP.EXE" [2004-08-10
455,168]
"PartSeal" = "c: \ windows \ Sonysys \ VAIO Recovery \ PartSeal.exe" [2003-04-20
28672]
"AppleSyncNotifier" = "c: \ program files \ Common Files \ Apple \ Mobile Device
Support \ bin \ AppleSyncNotifier.exe "[2009-05-14 177472]
"LVCOMSX" = "c: \ windows \ system32 \ LVCOMSX.EXE" [2004-02-25 221184]
"LogitechVideoRepair" = "c: \ program files \ Logitech \ Video \ ISStart.exe"
[2004-02-25 454,656]
"LogitechVideoTray" = "c: \ program files \ Logitech \ Video \ LogiTray.exe" [2004 --
02-25212992]
"QuickTime Task" = "c: \ program files \ QuickTime \ QTTask.exe" [2009-05-26
413,696]
"iTunesHelper" = "c: \ program files \ iTunes \ iTunesHelper.exe" [2009-07-13
292,128]
"SunJavaUpdateSched" = "c: \ program files \ Java \ jre6 \ bin \ jusched.exe" [2009 --
09-09149280]
"Adobe Reader Speed Launcher" = "c: \ program files \ Adobe \ Reader
9.0 \ Reader \ Reader_sl.exe "[2009-10-03 35696]
"Adobe ARM" = "c: \ program files \ Common Files \ Adobe \ ARM \ 1.0 \ AdobeARM.exe"
[2009-09-04 935,288]
"AGRSMMSG" = "AGRSMMSG.exe" - c: \ windows \ AGRSMMSG.exe [2004-10-08 88363]
c: \ documents and settings \ Frank \ Start Menu \ Programs \ Startup \
SpywareGuard.lnk - c: \ program files \ SpywareGuard \ sgmain.exe [2003-8-29
360,448]
c: \ documents and settings \ All Users \ Start Menu \ Programs \ Startup \
Logitech Desktop Messenger.lnk - c: \ program files \ Logitech \ Desktop
Messenger \ 8876480 \ Program \ LDMConf.exe [2009-1-31 169472]
[HKEY_USERS \. Default \ software \ microsoft \ windows \ currentversion \ policies \ e
xplorer]
"NoSetActiveDesktop" = 1 (0x1)
"NoActiveDesktopChanges" = 1 (0x1)
[hkey_local_machine \ software \ microsoft \ windows \ currentversion \ explorer \ Sh
ellExecuteHooks]
"(5AE067D3-9AFB-48E0-853A-EBB7F4A000DA)" = "c: \ program
files \ SUPERAntiSpyware \ SASSEH.DLL "[2008-05-13 77824]
[HKEY_LOCAL_MACHINE \ software \ microsoft \ windows
nt \ currentversion \ winlogon \ notify \! SASWinLogon]
2009-09-08 23:42 548352 ---- a-w-c: \ program
files \ SUPERAntiSpyware \ SASWINLO.DLL
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ Win
Defend]
@ = "Service"
[HKEY_LOCAL_MACHINE \ software \ microsoft \ security center]
"AntiVirusOverride" = dword: 00000001
[HKLM \ ~ \ services \ sharedaccess \ parameters \ firewallpolicy \ standardprofile \ A
uthorizedApplications \ List]
"% windir% \ \ system32 \ \ sessmgr.exe" =
"c: \ \ Program Files \ \ DNA \ \ btdna.exe" =
"c: \ \ Program Files \ \ Common Files \ \ AOL \ \ Loader \ \ aolload.exe" =
"c: \ \ Program Files \ \ AIM6 \ \ aim6.exe" =
"c: \ \ WINDOWS \ \ system32 \ \ PnkBstrA.exe" =
"c: \ \ WINDOWS \ \ system32 \ \ PnkBstrB.exe" =
"c: \ \ Program Files \ \ Messenger \ \ msmsgs.exe" =
"c: \ \ Program Files \ \ Activision \ \ Call of Duty 4 - Modern
Warfare \ \ iw3mp.exe "=
"c: \ \ Program Files \ \ Microsoft Office \ \ Office12 \ \ OUTLOOK.EXE" =
"% windir% \ \ Network Diagnostic \ \ xpnetdiag.exe" =
"c: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ msnmsgr.exe" =
"c: \ \ Program Files \ \ Windows Live \ \ Messenger \ \ livecall.exe" =
"c: \ \ Program Files \ \ Vuze \ \ Azureus.exe" =
"c: \ \ Program Files \ \ BitPim \ \ bitpimw.exe" =
"c: \ \ Sierra \ \ Empire Earth \ \ Empire Earth.exe" =
"c: \ \ Program Files \ \ Activision \ \ Call of Duty 2 \ \ CoD2MP_s.exe" =
"c: \ \ Program Files \ \ Mozilla Firefox \ \ firefox.exe" =
"c: \ \ Program Files \ \ Logitech \ \ Desktop
Messenger \ \ 8876480 \ \ Program \ \ backWeb-8876480.exe "=
"c: \ \ Program Files \ \ iPod \ \ bin \ \ iPodService.exe" =
"c: \ \ Program Files \ \ LimeWire \ \ LimeWire.exe" =
"% windir% \ \ system32 \ \ drivers \ \ svchost.exe" =
"c: \ \ Program Files \ \ Pando Networks \ \ Media Booster \ \ PMB.exe" =
"c: \ \ Documents and Settings \ \ All Users \ \ Application
Data \ \ NexonUS \ \ NGM \ \ NGM.exe "=
"c: \ \ Program Files \ \ Bonjour \ \ mDNSResponder.exe" =
"c: \ \ Program Files \ \ iTunes \ \ iTunes.exe" =
[HKLM \ ~ \ services \ sharedaccess \ parameters \ firewallpolicy \ standardprofile \ G
loballyOpenPorts \ List]
"57498: TCP" = 57498: TCP: Pando Media Booster
"57498: UDP" = 57498: UDP: Pando Media Booster
R1 SASDIFSV; SASDIFSV; c: \ program files \ SUPERAntiSpyware \ SASDIFSV.SYS
[5/28/2008 12:33 PM 9968]
R1 SASKUTIL; SASKUTIL; c: \ program files \ SUPERAntiSpyware \ SASKUTIL.SYS
[5/28/2008 12:33 PM 74480]
R2 McAfee SiteAdvisor Service; McAfee SiteAdvisor Service; c: \ program
files \ McAfee \ SiteAdvisor \ McSACore.exe [5/10/2009 10:57 AM 210216]
R2 MSSQL $ VAIO_VEDB; MSSQL $ VAIO_VEDB; c: \ program files \ Microsoft SQL
Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlservr.exe-sVAIO_VEDB -> c: \ program
files \ Microsoft SQL Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlservr.exe-sVAIO_VEDB
[?]
R2 WinDefend; Windows Defender; c: \ program files \ Windows
Defender \ MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 SASENUM; SASENUM; c: \ program files \ SUPERAntiSpyware \ SASENUM.SYS
[5/28/2008 12:33 PM 7408]
S2 0267091241971032mcinstcleanup; McAfee Application Installer Cleanup
(0267091241971032); c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 026709 ~ 1.EXE
c: \ progra ~ 1 \ COMMON ~ 1 \ McAfee \ INSTAL ~ 1 \ cleanup.ini-cleanup-nolog-service
-> C: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 026709 ~ 1.EXE
c: \ progra ~ 1 \ COMMON ~ 1 \ McAfee \ INSTAL ~ 1 \ cleanup.ini-cleanup-nolog-service
[?]
S3 ByakkoDriver; ByakkoDriver; \??
\ c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 832187.10-04-2009 ->
c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 832187.10-04-2009 [?]
S3 cimo; cimo; c: \ windows \ system32 \ cimo.sys [6/20/2009 9:32 PM 51200]
S3 NTPASp50; NTPASp50 NDIS Protocol
Driver; c: \ windows \ system32 \ drivers \ NtpaSp50.sys [7/19/2008 11:51 AM
17536]
S3 SQLAgent $ VAIO_VEDB; SQLAgent $ VAIO_VEDB; c: \ program files \ Microsoft SQL
Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlagent.EXE-i VAIO_VEDB -> c: \ program
files \ Microsoft SQL Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlagent.EXE-i VAIO_VEDB
[?]
S3 SWLD23U; Netopia 802.11b WLAN USB
Adapter; c: \ windows \ system32 \ drivers \ swld23u.sys [7/19/2008 11:43 AM
82888]
S3 swlubtl; WLAN USB Boot Device; c: \ windows \ system32 \ drivers \ swlubtl.sys
[7/19/2008 11:42 AM 53690]
S3 XDva189; XDva189; [x]
S3 XDva201; XDva201; \?? \ C: \ windows \ system32 \ XDva201.sys ->
c: \ windows \ system32 \ XDva201.sys [?]
S3 XDva212; XDva212; \?? \ C: \ windows \ system32 \ XDva212.sys ->
c: \ windows \ system32 \ XDva212.sys [?]
S3 XDva219; XDva219; \?? \ C: \ windows \ system32 \ XDva219.sys ->
c: \ windows \ system32 \ XDva219.sys [?]
S3 XDva279; XDva279; \?? \ C: \ windows \ system32 \ XDva279.sys ->
c: \ windows \ system32 \ XDva279.sys [?]
--- Other Services / Drivers In Memory ---
* Deregistered * - mbr
.
'Scheduled Tasks' folder contents
2009-09-25 c: \ windows \ Tasks \ AppleSoftwareUpdate.job
- C: \ program files \ Apple Software Update \ SoftwareUpdate.exe [2008-07-30
16:34]
2009-11-11 c: \ windows \ Tasks \ GoogleUpdateTaskUserS-1-5-21-1122231463 -
3557555321-1581213266-1005Core.job
- C: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Google \ Update \ GoogleUpdate.exe [2008-11-01 02:02]
2009-11-11 c: \ windows \ Tasks \ GoogleUpdateTaskUserS-1-5-21-1122231463 -
3557555321-1581213266-1005UA.job
- C: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Google \ Update \ GoogleUpdate.exe [2008-11-01 02:02]
2009-11-11 c: \ windows \ Tasks \ MP Scheduled Scan.job
- C: \ program files \ Windows Defender \ MpCmdRun.exe [2006-11-03 23:20]
.
.
------- ------- Suits the scan
.
uSearchMigratedDefaultURL = hxxp: / / www.google.com / search?
q = (searchTerms) & sourceid = ie7 & rls = com.microsoft: en-US & ie = utf8 & oe = utf8
mStart Page = hxxp: / / www.google.com
uInternet Settings, ProxyOverride = localhost; *. local
uSearchURL, (Default) = hxxp: / / www.google.com/keyword/% s
IE: E & xport to Microsoft Excel --
c: \ progra ~ 1 \ MICROS ~ 4 \ Office12 \ EXCEL.EXE/3000
IE: Save YouTube Video as MP3 - c: \ program files \ Common
Files \ DVDVideoSoft \ Dll \ IEContextMenuY.dll/scriptY2MP3.htm
IE: Transfer by Image Converter 2 - c: \ program files \ Sony \ Image Converter
2 \ menu.htm
Trusted Zone: download.com
FF - ProfilePath - c: \ documents and settings \ Frank \ Application
Data \ Mozilla \ Firefox \ Profiles \ nzbn6t60.default \
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: network.proxy.type - 4
FF - component: c: \ program files \ Common
Files \ DVDVideoSoft \ Dll \ FFContextMenuY \ components \ FFContextMenu.dll
FF - component: c: \ program
files \ McAfee \ SiteAdvisor \ components \ McFFPlg.dll
FF - plugin: c: \ documents and settings \ All Users \ Application
Data \ NexonUS \ NGM \ npNxGameUS.dll
FF - plugin: c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071503000010.dll
FF - plugin: c: \ documents and settings \ Frank \ Application Data \ Move
Networks \ plugins \ npqmp071701000002.dll
FF - plugin: c: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Google \ Update \ 1.2.183.13 \ npGoogleOneClick8.dll
FF - plugin: c: \ documents and settings \ Frank \ Local Settings \ Application
Data \ Yahoo! \ BrowserPlus \ 2.4.17 \ Plugins \ npybrowserplus_2.4.17.dll
FF - plugin: c: \ program files \ Mozilla Firefox \ plugins \ np-mswmp.dll
FF - plugin: c: \ program files \ Mozilla Firefox \ plugins \ npPandoWebInst.dll
FF - plugin: c: \ program files \ Mozilla Firefox \ plugins \ npViewpoint.dll
FF - plugin: c: \ program files \ Viewpoint \ Viewpoint Media
Player \ npViewpoint.dll
FF - HiddenExtension: Microsoft. NET Framework Assistant: (20a82645-c095 -
46ed-80e3-08825760534b) - c: \ windows \ Microsoft.NET \ Framework \ v3.5 \ Windows
Presentation Foundation \ DotNetAssistantExtension \
.
************************************************** ***********************
*
catchme 0.3.1398 W2K/XP/Vista - rootkit / stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2009-11-11 18:26
Windows 5.1.2600 Service Pack 3 NTFS
Scanning hidden processes. . .
Scanning hidden startup group. . .
Scanning hidden files. . .
The scan is complete
Are hidden files: 0
************************************************** ***********************
*
Stealth MBR rootkit / Mebroot / Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys spcs.sys
hal.dll>> UNKNOWN [0x873C4938] <<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit / Mebroot / Sinowal detector 0.3.7 by Gmer,
http://www.gmer.net
iaStor.sys @ 0x0 0x0 bytes
\ Driver \ iaStor [IRP_MJ_CREATE] 0xF142! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_CLOSE] 0xF142! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_DEVICE_CONTROL] 0x1284E! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_INTERNAL_DEVICE_CONTROL] 0x12B10! = 0xF71D0020
iaStor.sys
\ Driver \ iaStor [IRP_MJ_POWER] 0x17968! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor [IRP_MJ_SYSTEM_CONTROL] 0x179F4! = 0xF71D0020 iaStor.sys
\ Driver \ iaStor IRP hooks detected!
************************************************** ***********************
*
[HKEY_LOCAL_MACHINE \ System \ ControlSet001 \ Services \ ByakkoDriver]
"ImagePath" = "\?? \ C: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ Temp \ 832187.10-04-2009"
.
--------------------- Running process with dynamic link library ---------------------
- - - - - - -> 'Winlogon.exe' (844)
c: \ program files \ SUPERAntiSpyware \ SASWINLO.DLL
c: \ windows \ system32 \ WININET.dll
c: \ windows \ system32 \ Ati2evxx.dll
- - - - - - -> 'Explorer.exe' (3848)
c: \ windows \ system32 \ WININET.dll
c: \ docume ~ 1 \ Frank \ LOCALS ~ 1 \ TempIadHide3.dll
c: \ program files \ McAfee \ SiteAdvisor \ saHook.dll
c: \ progra ~ 1 \ WINDOW ~ 3 \ wmpband.dll
c: \ windows \ system32 \ ntshrui.dll
c: \ windows \ system32 \ msi.dll
c: \ windows \ system32 \ ieframe.dll
c: \ windows \ system32 \ NETSHELL.dll
c: \ windows \ system32 \ credui.dll
c: \ program files \ LClock \ LC.dll
c: \ windows \ system32 \ webcheck.dll
c: \ windows \ system32 \ WPDShServiceObj.dll
c: \ windows \ system32 \ PortableDeviceTypes.dll
c: \ windows \ system32 \ PortableDeviceApi.dll
.
------------------------ Other Running processes ----------------------- --
.
c: \ windows \ system32 \ Ati2evxx.exe
c: \ windows \ system32 \ Ati2evxx.exe
c: \ program files \ Common Files \ Apple \ Mobile Device
Support \ bin \ AppleMobileDeviceService.exe
c: \ program files \ Bonjour \ mDNSResponder.exe
c: \ windows \ eHome \ ehRecvr.exe
c: \ windows \ eHome \ ehSched.exe
c: \ program files \ Intel \ Intel Matrix Storage Manager \ iaantmon.exe
c: \ program files \ Java \ jre6 \ bin \ jqs.exe
c: \ program files \ Microsoft SQL Server \ MSSQL $ VAIO_VEDB \ Binn \ sqlservr.exe
c: \ program files \ iDumpPro \ NMSAccessU.exe
c: \ windows \ system32 \ PnkBstrA.exe
c: \ windows \ system32 \ PnkBstrB.exe
c: \ program files \ Common Files \ Sony
Shared \ WMPlugIn \ SonicStageMonitoring.exe
c: \ program files \ Sony \ Sony TV Tuner Library \ SMceMan.exe
c: \ program files \ Common Files \ Sony Shared \ VAIO Entertainment
Platform \ VCSW \ VCSW.exe
c: \ program files \ Common Files \ Sony Shared \ VAIO Entertainment
Platform \ VzCdb \ VzCdbSvc.exe
c: \ windows \ ehome \ mcrdsvc.exe
c: \ program files \ Common Files \ Sony Shared \ VAIO Entertainment
Platform \ VzCdb \ VzFw.exe
c: \ program files \ Logitech \ Video \ FxSvr2.exe
c: \ program files \ AIM6 \ aolsoftware.exe
c: \ program files \ Sony \ Sony TV Tuner Library \ RM_SV.exe
c: \ windows \ system32 \ dllhost.exe
c: \ program files \ iPod \ bin \ iPodService.exe
c: \ windows \ eHome \ ehmsas.exe
c: \ program files \ Java \ jre6 \ bin \ jucheck.exe
.
************************************************** ***********************
*
.
Completion Time: 2009-11-11 18:30 - the computer has been restarted
ComboFix-quarantined-files.txt 2009-11-11 23:30
Pre-Run: 132,151,308,288 bytes free
Post-Run: 132,101,308,416 bytes free
Current = 1 Default = 1 Failed = 5 LastKnownGood = 6 Sets = 1,2,3,4,5,6
- - End Of File - - 5B94D3E08615703C0830F6FACCD9D71C
you are doing something to mess up the logs
please post them from the infected PC
Also make sure wordwrap is off, to do this, open notepad, click Format, uncheck wordwrap
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
please post them from the infected PC
Also make sure wordwrap is off, to do this, open notepad, click Format, uncheck wordwrap
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
QUOTE
File::
Folder::
Registry::
Driver::
Mia::
c:\windows\system32\drivers\beep.sys
Folder::
Registry::
Driver::
Mia::
c:\windows\system32\drivers\beep.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.