Jump to content

Rotem

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

0 Neutral
  1. what about the GMER, how should I uninstall it? R
  2. The computer works well. I removed the tools. so far it looks good. I appreciate your help ! Rotem
  3. Hi, The MBAM quick scan came out clean. However the F-secure full scan found that 6 files are infected, 2 were healed. Following are the logs: Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4014 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/20/2010 10:37:06 PM mbam-log-2010-04-20 (22-37-06).txt Scan type: Quick scan Objects scanned: 114900 Time elapsed: 16 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) -------------------------------------------------------------------------------------------- Scanning Report Wednesday, April 21, 2010 23:01:03 - 08:54:53 Computer name: LASH Scanning type: Scan system for malware, spyware and rootkits Target: C:\ 6 malware found Suspicious:W32/Malware!Gemini (spyware) * System (Disinfected) Trojan:INI/Vundo.gen!F (virus) * C:\SYSTEM VOLUME INFORMATION\_RESTORE{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP1373\A1114978.INI (Renamed & Submitted) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\COMMON FILES\AVSMEDIA\MOBILEUPLOADER\UPLOADER.EXE (Not cleaned) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\AVSMEDIA\VIDEOTOOLS\VIDEOCONVERTER\CAPTUREWIZARD.EXE (Not cleaned) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\AVSMEDIA\VIDEOTOOLS\VIDEOCONVERTER\REGISTRATION.EXE (Not cleaned) Suspicious:W32/Malware!Gemini (virus) * C:\PROGRAM FILES\AVSMEDIA\DISCCREATOR\DISCCREATOR.EXE (Not cleaned) Statistics Scanned: * Files: 47786 * System: 4681 * Not scanned: 8 Actions: * Disinfected: 1 * Renamed: 1 * Deleted: 0 * Not cleaned: 4 * Submitted: 1 Files not scanned: * C:\PAGEFILE.SYS * C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * C:\WINDOWS\SYSTEM32\CONFIG\SAM * C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE * C:\DOCUMENTS AND SETTINGS\LAURA LASH\LOCAL SETTINGS\TEMP\HSPERFDATA_LAURA LASH\5800 * C:\DOCUMENTS AND SETTINGS\LAURA LASH\LOCAL SETTINGS\TEMP\HSPERFDATA_LAURA LASH\1480 Options Scanning engines: Scanning options: * Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR * Use advanced heuristics Copyright
  4. HI, Although the AVG anti-virus notified me about the trojan SHeur3.SAZ a while ago, the computer works much better. No windows pop-out with weird websites. I can tell that the main problem was fixed. What do you think I should do about this trojan? Rotem
  5. Hi there, following are the logs: GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-20 10:31:02 Windows 5.1.2600 Service Pack 3 Running: 9fr5if1s.exe; Driver: C:\DOCUME~1\LAURAL~1\LOCALS~1\Temp\pxtdapow.sys ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF866487E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8664BFE] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks) ---- EOF - GMER 1.0.15 ---- -------------------------------------------------------------------------------------------------------------------------------------------------------------------- ComboFix 10-04-19.05 - Laura Lash 04/20/2010 10:56:57.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.502.143 [GMT -4:00] Running from: c:\documents and settings\Laura Lash\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Laura Lash\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FILE :: "c:\windows\system32\fycwdn11.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\fycwdn11.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MEMSWEEP2 -------\Service_MEMSWEEP2 ((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 ))))))))))))))))))))))))))))))) . 2010-04-18 00:21 . 2005-07-23 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterMute 2010-04-18 00:21 . 2005-07-23 00:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit 2010-04-18 00:21 . 2005-07-23 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec 2010-04-18 00:21 . 2005-07-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation 2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-04-02 17:40 . 2010-04-02 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\ZoomBrowser EX 2010-04-02 17:22 . 2010-04-02 17:22 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\CANON INC 2010-04-02 16:48 . 2010-04-02 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-19 01:48 . 2009-03-06 02:40 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Spyware Terminator 2010-04-18 22:10 . 2007-09-06 19:56 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Skype 2010-04-18 20:07 . 2008-11-18 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\skypePM 2010-04-18 19:11 . 2010-04-18 13:23 -------- d-----w- c:\program files\Sophos 2010-04-18 18:48 . 2010-04-17 15:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-04-18 18:38 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-17 16:34 . 2008-11-26 18:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-04-17 13:29 . 2010-04-17 13:29 53512 ----a-w- c:\windows\system32\drivers\pxrts.sys 2010-04-17 13:29 . 2010-04-17 13:29 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys 2010-04-17 13:29 . 2010-04-17 13:29 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys 2010-04-16 00:24 . 2009-03-06 02:39 -------- d-----w- c:\program files\Spyware Terminator 2010-04-14 22:50 . 2008-07-09 10:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Sony Corporation 2010-04-14 04:24 . 2009-11-10 21:38 69080 ---ha-w- c:\windows\system32\mlfcache.dat 2010-04-11 22:42 . 2005-10-25 17:36 84888 ----a-w- c:\documents and settings\Laura Lash\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-08 00:07 . 2009-03-06 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator 2010-04-07 23:25 . 2006-06-12 16:08 -------- d-----w- c:\program files\TVU Player 2010-04-07 22:21 . 2009-03-06 02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-05 22:29 . 2010-04-05 22:29 -------- d-----w- c:\program files\CCleaner 2010-04-03 05:10 . 2010-04-02 16:44 174360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-04-02 21:07 . 2007-12-22 13:41 -------- d-----w- c:\program files\Common Files\Java 2010-04-02 21:02 . 2005-07-13 20:08 -------- d-----w- c:\program files\Java 2010-04-02 16:54 . 2006-10-07 10:07 -------- d-----w- c:\program files\Canon 2010-04-02 16:44 . 2010-04-02 16:44 -------- d-----w- c:\program files\MSBuild 2010-04-02 16:36 . 2010-04-02 16:36 -------- d-----w- c:\program files\Reference Assemblies 2010-04-02 16:27 . 2010-04-02 16:25 -------- d-----w- c:\program files\Common Files\Canon 2010-03-30 04:46 . 2009-03-06 02:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45 . 2009-03-06 02:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-10 06:15 . 2005-07-13 17:55 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-09 08:28 . 2008-12-22 14:56 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-03-06 00:37 . 2005-07-13 20:38 -------- d-----w- c:\program files\Google 2010-02-28 18:00 . 2009-06-25 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-02-25 06:24 . 2005-07-13 17:55 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2005-07-13 17:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr 2010-02-17 13:10 . 2005-07-13 17:55 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2005-07-13 17:55 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2005-07-13 17:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "Google Update"="c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-24 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688] "RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320] "TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112] "VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-06 524632] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-17 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"= "c:\\Program Files\\TVU Player\\TVUPlayer.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 11:28 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/1/2008 8:16 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/1/2008 8:16 PM 108552] R1 NEOFLTR_620_13873;Juniper Networks TDI Filter Driver (NEOFLTR_620_13873);c:\windows\system32\drivers\NEOFLTR_620_13873.sys [1/21/2009 12:19 AM 64480] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/5/2009 10:40 PM 142592] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/1/2008 8:15 PM 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/1/2008 8:15 PM 297752] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2009 1:23 AM 135664] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?] . Contents of the 'Scheduled Tasks' folder 2010-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:31] 2010-04-20 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-11-28 00:44] 2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22] 2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22] 2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006Core.job - c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31] 2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006UA.job - c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31] 2009-08-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job - c:\program files\Microsoft LifeCam\LifeExp.exe [2007-05-17 18:45] 2010-04-20 c:\windows\Tasks\User_Feed_Synchronization-{75592AFF-04B7-4574-8F6E-924C201D398F}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} - hxxp://www.bezeqint.net/Friendly/email_bezeqint/fwTechTool2.cab FF - ProfilePath - c:\documents and settings\Laura Lash\Application Data\Mozilla\Firefox\Profiles\xpx3npyu.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll FF - plugin: c:\documents and settings\Laura Lash\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - ActiveSetup-{EC5738BF-72C3-416F-9D09-24A21222BE58} - fycwdn11.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-20 11:19 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1668) c:\windows\system32\VESWinlogon.dll - - - - - - - > 'explorer.exe'(3784) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Spyware Terminator\sp_rsser.exe c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe c:\program files\Apoint\Apntex.exe c:\windows\RTHDCPL.EXE c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-04-20 11:32:43 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-20 15:32 ComboFix2.txt 2010-04-20 01:00 Pre-Run: 14,323,347,456 bytes free Post-Run: 14,288,551,936 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /PAE - - End Of File - - 090D87EFDE8F650EE3B75BA75386FD89
  6. HI, I ran Combofix. Before running it alerted that antivirus is turned on although I disabled it. After scanning the program couldn't find Microsoft Recovery Console and allowed installing it through the web. Following is the log: ComboFix 10-04-18.04 - Laura Lash 04/19/2010 20:25:45.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.502.93 [GMT -4:00] Running from: c:\documents and settings\Laura Lash\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Laura Lash\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: "C:\sqmdata00.sqm" "C:\sqmdata01.sqm" "C:\sqmdata02.sqm" "C:\sqmdata03.sqm" "C:\sqmdata04.sqm" "C:\sqmdata05.sqm" "C:\sqmdata06.sqm" "C:\sqmdata07.sqm" "C:\sqmdata08.sqm" "C:\sqmdata09.sqm" "C:\sqmdata10.sqm" "C:\sqmdata11.sqm" "C:\sqmdata12.sqm" "C:\sqmdata13.sqm" "C:\sqmdata14.sqm" "C:\sqmdata15.sqm" "C:\sqmdata16.sqm" "C:\sqmdata17.sqm" "C:\sqmdata18.sqm" "C:\sqmdata19.sqm" "C:\sqmnoopt00.sqm" "C:\sqmnoopt01.sqm" "C:\sqmnoopt02.sqm" "C:\sqmnoopt03.sqm" "C:\sqmnoopt04.sqm" "C:\sqmnoopt05.sqm" "C:\sqmnoopt06.sqm" "C:\sqmnoopt07.sqm" "C:\sqmnoopt08.sqm" "C:\sqmnoopt09.sqm" "C:\sqmnoopt10.sqm" "C:\sqmnoopt11.sqm" "C:\sqmnoopt12.sqm" "C:\sqmnoopt13.sqm" "C:\sqmnoopt14.sqm" "C:\sqmnoopt15.sqm" "C:\sqmnoopt16.sqm" "C:\sqmnoopt17.sqm" "C:\sqmnoopt18.sqm" "C:\sqmnoopt19.sqm" "C:\TDSSKiller.2.2.8.1_18.04.2010_11.35.24_log.txt" "c:\windows\System32\srvryahm.ini" "c:\windows\System32\WaKmWvut.ini" "c:\windows\System32\WaKmWvut.ini2" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\recycler\S-1-5-21-1486009817-77172607-3806689915-1003 c:\recycler\S-1-5-21-1644491937-1292428093-725345543-1003 c:\recycler\S-1-5-21-246832256-3006914963-493307199-1003 c:\recycler\S-1-5-21-3293920870-4118683337-1468059775-1003 c:\recycler\S-1-5-21-985225360-2529155770-2675299521-1003 C:\sqmdata00.sqm C:\sqmdata01.sqm C:\sqmdata02.sqm C:\sqmdata03.sqm C:\sqmdata04.sqm C:\sqmdata05.sqm C:\sqmdata06.sqm C:\sqmdata07.sqm C:\sqmdata08.sqm C:\sqmdata09.sqm C:\sqmdata10.sqm C:\sqmdata11.sqm C:\sqmdata12.sqm C:\sqmdata13.sqm C:\sqmdata14.sqm C:\sqmdata15.sqm C:\sqmdata16.sqm C:\sqmdata17.sqm C:\sqmdata18.sqm C:\sqmdata19.sqm C:\sqmnoopt00.sqm C:\sqmnoopt01.sqm C:\sqmnoopt02.sqm C:\sqmnoopt03.sqm C:\sqmnoopt04.sqm C:\sqmnoopt05.sqm C:\sqmnoopt06.sqm C:\sqmnoopt07.sqm C:\sqmnoopt08.sqm C:\sqmnoopt09.sqm C:\sqmnoopt10.sqm C:\sqmnoopt11.sqm C:\sqmnoopt12.sqm C:\sqmnoopt13.sqm C:\sqmnoopt14.sqm C:\sqmnoopt15.sqm C:\sqmnoopt16.sqm C:\sqmnoopt17.sqm C:\sqmnoopt18.sqm C:\sqmnoopt19.sqm C:\TDSSKiller.2.2.8.1_18.04.2010_11.35.24_log.txt c:\windows\setup.exe c:\windows\system32\drivers\oaiqqpuwwqdj.sys c:\windows\system32\klgd.bmp c:\windows\System32\srvryahm.ini c:\windows\system32\WaKmWvut.ini c:\windows\System32\WaKmWvut.ini2 Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected Restored copy from - Kitty had a snack Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected Restored copy from - Kitty ate it Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected Restored copy from - Kitty had a snack Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected Restored copy from - Kitty had a snack Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected Restored copy from - Kitty ate it Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected Restored copy from - Kitty had a snack Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected Restored copy from - Kitty had a snack Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected Restored copy from - Kitty ate it Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected Restored copy from - Kitty had a snack . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Legacy_oaiqqpuwwqdj -------\Service_oaiqqpuwwqdj ((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 ))))))))))))))))))))))))))))))) . 2010-04-18 00:21 . 2005-07-23 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterMute 2010-04-18 00:21 . 2005-07-23 00:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit 2010-04-18 00:21 . 2005-07-23 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec 2010-04-18 00:21 . 2005-07-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation 2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro 2010-04-02 21:04 . 2010-04-02 21:04 503808 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c87bf0b-n\msvcp71.dll 2010-04-02 21:04 . 2010-04-02 21:04 499712 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c87bf0b-n\jmc.dll 2010-04-02 21:04 . 2010-04-02 21:04 348160 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c87bf0b-n\msvcr71.dll 2010-04-02 21:03 . 2010-04-02 21:03 61440 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62cf12a9-n\decora-sse.dll 2010-04-02 21:03 . 2010-04-02 21:03 12800 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62cf12a9-n\decora-d3d.dll 2010-04-02 17:40 . 2010-04-02 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\ZoomBrowser EX 2010-04-02 17:22 . 2010-04-02 17:22 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\CANON INC 2010-04-02 16:48 . 2010-04-02 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser 2010-03-22 20:04 . 2010-03-22 20:04 255472 ----a-w- c:\documents and settings\Laura Lash\Application Data\Mozilla\plugins\npgoogletalk.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-19 22:11 . 2010-04-19 22:11 46080 ----a-w- c:\windows\system32\fycwdn11.dll 2010-04-19 01:48 . 2009-03-06 02:40 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Spyware Terminator 2010-04-18 22:10 . 2007-09-06 19:56 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Skype 2010-04-18 20:07 . 2008-11-18 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\skypePM 2010-04-18 19:11 . 2010-04-18 13:23 -------- d-----w- c:\program files\Sophos 2010-04-18 18:48 . 2010-04-17 15:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-04-18 18:38 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-17 16:34 . 2008-11-26 18:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\program files\Hitman Pro 3.5 2010-04-17 13:29 . 2010-04-17 13:29 53512 ----a-w- c:\windows\system32\drivers\pxrts.sys 2010-04-17 13:29 . 2010-04-17 13:29 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys 2010-04-17 13:29 . 2010-04-17 13:29 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys 2010-04-16 00:24 . 2009-03-06 02:39 -------- d-----w- c:\program files\Spyware Terminator 2010-04-14 22:50 . 2008-07-09 10:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Sony Corporation 2010-04-14 04:24 . 2009-11-10 21:38 69080 ---ha-w- c:\windows\system32\mlfcache.dat 2010-04-11 22:42 . 2005-10-25 17:36 84888 ----a-w- c:\documents and settings\Laura Lash\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-04-08 00:07 . 2009-03-06 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator 2010-04-07 23:25 . 2006-06-12 16:08 -------- d-----w- c:\program files\TVU Player 2010-04-07 22:21 . 2009-03-06 02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-07 22:21 . 2009-12-27 01:40 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-04-06 03:30 . 2009-06-30 03:40 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-04-05 22:29 . 2010-04-05 22:29 -------- d-----w- c:\program files\CCleaner 2010-04-03 05:10 . 2010-04-02 16:44 174360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2010-04-02 21:07 . 2007-12-22 13:41 -------- d-----w- c:\program files\Common Files\Java 2010-04-02 21:02 . 2005-07-13 20:08 -------- d-----w- c:\program files\Java 2010-04-02 16:54 . 2006-10-07 10:07 -------- d-----w- c:\program files\Canon 2010-04-02 16:44 . 2010-04-02 16:44 -------- d-----w- c:\program files\MSBuild 2010-04-02 16:36 . 2010-04-02 16:36 -------- d-----w- c:\program files\Reference Assemblies 2010-04-02 16:27 . 2010-04-02 16:25 -------- d-----w- c:\program files\Common Files\Canon 2010-03-30 04:46 . 2009-03-06 02:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45 . 2009-03-06 02:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-10 06:15 . 2005-07-13 17:55 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-09 08:28 . 2008-12-22 14:56 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-03-06 00:37 . 2005-07-13 20:38 -------- d-----w- c:\program files\Google 2010-02-28 18:00 . 2009-06-25 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2010-02-25 06:24 . 2005-07-13 17:55 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2005-07-13 17:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr 2010-02-17 13:10 . 2005-07-13 17:55 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33 . 2005-07-13 17:55 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-11 12:02 . 2005-07-13 17:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys 2010-01-20 16:49 . 2010-01-20 16:49 375162 ----a-r- c:\documents and settings\Laura Lash\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_62C7126616B954B0A3B534.exe 2010-01-20 16:49 . 2010-01-20 16:49 375162 ----a-r- c:\documents and settings\Laura Lash\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_0F7A346F42AC9EA04D958A.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92109E9C-D153-4288-B749-6BB009EFC319}] 2010-04-19 22:11 46080 ----a-w- c:\windows\system32\fycwdn11.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] "Google Update"="c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-24 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824] "Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688] "RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056] "VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672] "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320] "TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768] "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112] "VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-06 524632] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912] "VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-17 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"= "c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"= "c:\\Program Files\\TVU Player\\TVUPlayer.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\BitComet\\BitComet.exe"= "c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"= "c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"= "c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"= "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 11:28 PM 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/1/2008 8:16 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/1/2008 8:16 PM 108552] R1 NEOFLTR_620_13873;Juniper Networks TDI Filter Driver (NEOFLTR_620_13873);c:\windows\system32\drivers\NEOFLTR_620_13873.sys [1/21/2009 12:19 AM 64480] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/5/2009 10:40 PM 142592] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/1/2008 8:15 PM 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/1/2008 8:15 PM 297752] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2009 1:23 AM 135664] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1C.tmp --> c:\windows\system32\1C.tmp [?] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC5738BF-72C3-416F-9D09-24A21222BE58}] 2010-04-19 22:11 46080 ----a-w- c:\windows\system32\fycwdn11.dll . Contents of the 'Scheduled Tasks' folder 2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:31] 2010-04-20 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2009-11-28 00:44] 2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22] 2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22] 2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006Core.job - c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31] 2010-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006UA.job - c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31] 2009-08-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job - c:\program files\Microsoft LifeCam\LifeExp.exe [2007-05-17 18:45] 2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{75592AFF-04B7-4574-8F6E-924C201D398F}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} - hxxp://www.bezeqint.net/Friendly/email_bezeqint/fwTechTool2.cab FF - ProfilePath - c:\documents and settings\Laura Lash\Application Data\Mozilla\Firefox\Profiles\xpx3npyu.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll FF - plugin: c:\documents and settings\Laura Lash\Application Data\Mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - BHO-{3E37A704-600E-4E73-80CB-94250C8A4F3E} - (no file) Notify-qoMfcBSK - qoMfcBSK.dll SafeBoot-klmdb.sys AddRemove-TVUPlayer - c:\program files\TVU Player\uninst.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-19 20:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\1C.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(300) c:\windows\system32\VESWinlogon.dll - - - - - - - > 'explorer.exe'(744) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Microsoft LifeCam\MSCamS32.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Spyware Terminator\sp_rsser.exe c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\igfxext.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\windows\system32\igfxsrvc.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe c:\program files\Apoint\Apntex.exe c:\windows\RTHDCPL.EXE c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\AVG\AVG8\avgcsrvx.exe . ************************************************************************** . Completion time: 2010-04-19 21:00:28 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-20 01:00 Pre-Run: 14,051,471,360 bytes free Post-Run: 14,322,786,304 bytes free - - End Of File - - 4248B23837C667DA30FCAB2A28993C90 How bad does this look like? Rotem
  7. Hi, I ran the scans as requested but couldn't post the logs since it's too long. So I posted the 'extras' and the 'ark', the 'otl' is attached: OTL Extras logfile created on: 4/18/2010 11:07:37 PM - Run 1 OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Laura Lash\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 502.00 Mb Total Physical Memory | 224.00 Mb Available Physical Memory | 45.00% Memory free 1.00 Gb Paging File | 1.00 Gb Available in Paging File | 42.00% Paging File free Paging file location(s): C:\pagefile.sys 756 1512 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 68.52 Gb Total Space | 13.28 Gb Free Space | 19.39% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: LASH Current User Name: Laura Lash Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation) http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" () Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" () Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 "AntiVirusDisableNotify" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation) "C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation) "C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC) "C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" = C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation) "C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE" = C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE:*:Enabled:Microsoft Office PowerPoint -- (Microsoft Corporation) "C:\Program Files\TVU Player\TVUPlayer.exe" = C:\Program Files\TVU Player\TVUPlayer.exe:*:Disabled:TVUPlayer -- () "C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation) "C:\WINDOWS\system32\rundll32.exe" = C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App -- (Microsoft Corporation) "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation) "%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation) "C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client -- (www.BitComet.com) "C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google) "C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google) "C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation) "C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- () "C:\Program Files\Java\jre6\bin\javaws.exe" = C:\Program Files\Java\jre6\bin\javaws.exe:*:Disabled:Java Web Start Launcher -- (Sun Microsystems, Inc.) "C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe" = C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy -- (Juniper Networks) "C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.) "C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.) "C:\Program Files\MP3 Skype Recorder\MP3 Skype Recorder.exe" = C:\Program Files\MP3 Skype Recorder\MP3 Skype Recorder.exe:*:Enabled:MP3 Skype Recorder -- (Alexander Nikiforov) "C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation) "C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation) "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) "C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies) "C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}" = SonicStage Mastering Studio Audio Filter Custom Preset "{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Camera Window DS "{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support "{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0 "{0DF00135-D5A7-476A-BFB3-EDFF2840076A}" = VAIO Wireless Utility "{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0 "{1BEF9285-5530-426B-A5F1-5836B95C7EB1}" = VAIO Original Screen Saver "{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 4.0 "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1F1C4668-7767-4109-9B5E-19AD056F2CA0}" = MP3 Skype Recorder "{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0 "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 19 "{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver "{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005 "{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears "{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3 "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works "{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36 "{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 2 "{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4E993095-28F2-4060-9101-99C1FD1195C0}" = VAIO Central "{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series "{63AFACBC-4795-4A1B-8037-5085DC03FC54}" = Microsoft LifeCam "{64ED36E0-5EEE-462B-A807-C547950B25E1}" = FRED "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore "{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 4.0 "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0 "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 4.2 "{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation "{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}" = ISScript "{82081533-F045-469E-BD53-F16839E445C3}" = VAIO Support Central "{849ABF1A-6AE3-45E1-B260-D5447B2F29F5}" = OpenMG Secure Module 4.2.00 "{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}" = PhotoStitch "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile "{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr "{9011040D-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{91249DB1-5E37-355D-94D6-F957031D8955}" = Google Talk Plugin "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for VAIO "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML "{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management "{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 3.2 "{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime "{A43F939E-A863-433D-AC78-0897E44CFEB2}" = VAIO Launcher "{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0 "{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}" = VAIO Media Registration Tool 4.0 "{B3B77C66-1553-4FFE-B044-53B179FBE0B6}" = SPSS 12.0 for Windows "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player "{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = RAW Image Task 2.2 "{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation "{BBFFB027-7D53-4E1B-95BC-35A2216D1D60}" = VAIO Long Battery Life Wallpaper "{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype OTL.Txt
  8. Hi, Got infected with tdss rootkit (I think). None of the anti-malware programs helped. I will appreciate any help from you guys. Following is the DDS.txt: DDS (Ver_10-03-17.01) - NTFSx86 Run by Laura Lash at 15:24:00.81 on Sun 04/18/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19 Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.502.81 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe c:\Program Files\Microsoft LifeCam\MSCamS32.exe C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\ISB Utility\ISBMgr.exe C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe C:\WINDOWS\vVX3000.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Laura Lash\Desktop\Defogger.exe C:\Documents and Settings\Laura Lash\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: H - No File uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: {3E37A704-600E-4E73-80CB-94250C8A4F3E} - No File BHO: {78875F5C-A685-4405-8DC5-D48DC65452B0} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Google Update] "c:\documents and settings\laura lash\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [RTHDCPL] RTHDCPL.EXE mRun: [Alcmtr] ALCMTR.EXE mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe mRun: [sonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe mRun: [iSBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe" mRun: [VX3000] c:\windows\vVX3000.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" dRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0 dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/29.55/uploader2.cab DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} - hxxp://www.bezeqint.net/Friendly/email_bezeqint/fwTechTool2.cab DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll Notify: qoMfcBSK - qoMfcBSK.dll Notify: VESWinlogon - VESWinlogon.dll AppInit_DLLs: offhty.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvWmKaW ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\laural~1\applic~1\mozilla\firefox\profiles\xpx3npyu.default\ FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll FF - plugin: c:\documents and settings\laura lash\application data\mozilla\plugins\npgoogletalk.dll FF - plugin: c:\documents and settings\laura lash\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64160] R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-1 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-1 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-1 108552] R1 NEOFLTR_620_13873;Juniper Networks TDI Filter Driver (NEOFLTR_620_13873);c:\windows\system32\drivers\NEOFLTR_620_13873.sys [2009-1-21 64480] R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-3-5 142592] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-1 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-1 297752] R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-10 135664] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-5 38224] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1c.tmp --> c:\windows\system32\1C.tmp [?] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?] =============== Created Last 30 ================ 2010-04-18 13:23:11 0 d-----w- c:\program files\Sophos 2010-04-18 03:52:25 0 ----a-w- c:\documents and settings\laura lash\defogger_reenable 2010-04-17 16:42:41 0 d-----w- c:\windows\system32\NtmsData 2010-04-17 15:31:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys 2010-04-17 15:30:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2010-04-17 15:30:00 0 d-----w- c:\program files\Hitman Pro 3.5 2010-04-17 13:29:48 53512 ----a-w- c:\windows\system32\drivers\pxrts.sys 2010-04-17 13:29:48 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys 2010-04-17 13:29:44 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys 2010-04-17 13:29:15 51 ----a-w- c:\windows\wininit.ini 2010-04-17 13:08:50 8576 ----a-w- c:\windows\system32\drivers\oaiqqpuwwqdj.sys 2010-04-17 13:08:37 0 d-----w- c:\documents and settings\laura lash\Pavark 2010-04-05 22:29:08 0 d-----w- c:\program files\CCleaner 2010-04-02 17:40:14 0 d-----w- c:\docume~1\laural~1\applic~1\ZoomBrowser EX 2010-04-02 17:22:47 0 d-----w- c:\docume~1\laural~1\applic~1\CANON INC 2010-04-02 16:48:50 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser 2010-04-02 16:39:04 0 d-----w- c:\windows\system32\XPSViewer 2010-04-02 16:34:36 14048 ------w- c:\windows\system32\spmsg2.dll 2010-04-02 16:25:07 0 d-----w- c:\program files\common files\Canon ==================== Find3M ==================== 2010-04-18 18:38:41 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-14 04:24:25 69080 ---ha-w- c:\windows\system32\mlfcache.dat 2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr 2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2008-12-01 23:31:26 899852 --sha-w- c:\windows\system32\WaKmWvut.ini2 2008-11-20 23:39:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat ============= FINISH: 15:26:55.75 =============== Attach.zip
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.