Help needed - rootkit removal

[Rotem]

Hi,

Got infected with tdss rootkit (I think). None of the anti-malware programs helped. I will appreciate any help from you guys.

Following is the DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Laura Lash at 15:24:00.81 on Sun 04/18/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19

Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.502.81 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Java\jre6\bin\jqs.exe

c:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\Program Files\Sony\ISB Utility\ISBMgr.exe

C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe

C:\WINDOWS\vVX3000.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Laura Lash\Desktop\Defogger.exe

C:\Documents and Settings\Laura Lash\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: {3E37A704-600E-4E73-80CB-94250C8A4F3E} - No File

BHO: {78875F5C-A685-4405-8DC5-D48DC65452B0} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

TB: {61D1C847-DF80-423A-8C6D-DC03B97E6EBE} - No File

TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe

uRun: [Google Update] "c:\documents and settings\laura lash\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe

mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe

mRun: [sonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe

mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe

mRun: [iSBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe

mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [VX3000] c:\windows\vVX3000.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab

DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/29.55/uploader2.cab

DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab

DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab

DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} - hxxp://www.bezeqint.net/Friendly/email_bezeqint/fwTechTool2.cab

DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: avgrsstarter - avgrsstx.dll

Notify: igfxcui - igfxdev.dll

Notify: qoMfcBSK - qoMfcBSK.dll

Notify: VESWinlogon - VESWinlogon.dll

AppInit_DLLs: offhty.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvWmKaW

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laural~1\applic~1\mozilla\firefox\profiles\xpx3npyu.default\

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll

FF - plugin: c:\documents and settings\laura lash\application data\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\laura lash\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-1 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-1 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-1 108552]

R1 NEOFLTR_620_13873;Juniper Networks TDI Filter Driver (NEOFLTR_620_13873);c:\windows\system32\drivers\NEOFLTR_620_13873.sys [2009-1-21 64480]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-3-5 142592]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-12-1 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-1 297752]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-10 135664]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-5 38224]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1c.tmp --> c:\windows\system32\1C.tmp [?]

S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2010-04-18 13:23:11 0 d-----w- c:\program files\Sophos

2010-04-18 03:52:25 0 ----a-w- c:\documents and settings\laura lash\defogger_reenable

2010-04-17 16:42:41 0 d-----w- c:\windows\system32\NtmsData

2010-04-17 15:31:04 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-17 15:30:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-04-17 15:30:00 0 d-----w- c:\program files\Hitman Pro 3.5

2010-04-17 13:29:48 53512 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-04-17 13:29:48 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys

2010-04-17 13:29:44 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-04-17 13:29:15 51 ----a-w- c:\windows\wininit.ini

2010-04-17 13:08:50 8576 ----a-w- c:\windows\system32\drivers\oaiqqpuwwqdj.sys

2010-04-17 13:08:37 0 d-----w- c:\documents and settings\laura lash\Pavark

2010-04-05 22:29:08 0 d-----w- c:\program files\CCleaner

2010-04-02 17:40:14 0 d-----w- c:\docume~1\laural~1\applic~1\ZoomBrowser EX

2010-04-02 17:22:47 0 d-----w- c:\docume~1\laural~1\applic~1\CANON INC

2010-04-02 16:48:50 0 d-----w- c:\docume~1\alluse~1\applic~1\ZoomBrowser

2010-04-02 16:39:04 0 d-----w- c:\windows\system32\XPSViewer

2010-04-02 16:34:36 14048 ------w- c:\windows\system32\spmsg2.dll

2010-04-02 16:25:07 0 d-----w- c:\program files\common files\Canon

==================== Find3M ====================

2010-04-18 18:38:41 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-14 04:24:25 69080 ---ha-w- c:\windows\system32\mlfcache.dat

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

2008-12-01 23:31:26 899852 --sha-w- c:\windows\system32\WaKmWvut.ini2

2008-11-20 23:39:36 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat

============= FINISH: 15:26:55.75 ===============

Attach.zip

[JSntgRvr]

Hi, Rotem

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• OTL should now start. Change the following settings
  
  • Change Drivers to All
    
  • Change Standard Registry to All
    
  • Under File Scans, change File age to 30
    

  [*]Under the Custom Scan box paste this in

  netsvcs

  %SYSTEMDRIVE%\*.*

  /md5start

  eventlog.dll

  scecli.dll

  netlogon.dll

  cngaudit.dll

  sceclt.dll

  ntelogon.dll

  logevent.dll

  iaStor.sys

  nvstor.sys

  atapi.sys

  IdeChnDr.sys

  viasraid.sys

  AGP440.sys

  vaxscsi.sys

  nvatabus.sys

  viamraid.sys

  nvata.sys

  nvgts.sys

  iastorv.sys

  ViPrt.sys

  eNetHook.dll

  ahcix86.sys

  KR10N.sys

  nvstor32.sys

  ahcix86s.sys

  nvrd32.sys

  /md5stop

  %systemroot%\*. /mp /s

  CREATERESTOREPOINT

  %systemroot%\System32\config\*.sav

  %systemroot%\system32\*.dll /lockedfiles

  %systemroot%\Tasks\*.job /lockedfiles

  [*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    
  • Please post the contents of these files in your next reply.
    

------------------------------------------------------------

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

• Double click GMER.exe.
  
  
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    
    Click the image to enlarge it
    

  [*] Then click the Scan button & wait for it to finish.

  [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

  [*]Save the log where you can easily find it, such as your desktop.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

[Rotem]

Hi,

I ran the scans as requested but couldn't post the logs since it's too long. So I posted the 'extras' and the 'ark', the 'otl' is attached:

OTL Extras logfile created on: 4/18/2010 11:07:37 PM - Run 1

OTL by OldTimer - Version 3.2.1.2 Folder = C:\Documents and Settings\Laura Lash\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.00 Mb Total Physical Memory | 224.00 Mb Available Physical Memory | 45.00% Memory free

1.00 Gb Paging File | 1.00 Gb Available in Paging File | 42.00% Paging File free

Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 68.52 Gb Total Space | 13.28 Gb Free Space | 19.39% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LASH

Current User Name: Laura Lash

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"AntiVirusDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)

"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- (Lime Wire, LLC)

"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" = C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE" = C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE:*:Enabled:Microsoft Office PowerPoint -- (Microsoft Corporation)

"C:\Program Files\TVU Player\TVUPlayer.exe" = C:\Program Files\TVU Player\TVUPlayer.exe:*:Disabled:TVUPlayer -- ()

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer -- (Microsoft Corporation)

"C:\WINDOWS\system32\rundll32.exe" = C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App -- (Microsoft Corporation)

"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)

"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\BitComet\BitComet.exe" = C:\Program Files\BitComet\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client -- (www.BitComet.com)

"C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll" = C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin -- (Google)

"C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Laura Lash\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)

"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)

"C:\Program Files\VideoLAN\VLC\vlc.exe" = C:\Program Files\VideoLAN\VLC\vlc.exe:*:Enabled:VLC media player -- ()

"C:\Program Files\Java\jre6\bin\javaws.exe" = C:\Program Files\Java\jre6\bin\javaws.exe:*:Disabled:Java Web Start Launcher -- (Sun Microsystems, Inc.)

"C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe" = C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy -- (Juniper Networks)

"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java Platform SE binary -- (Sun Microsystems, Inc.)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"C:\Program Files\MP3 Skype Recorder\MP3 Skype Recorder.exe" = C:\Program Files\MP3 Skype Recorder\MP3 Skype Recorder.exe:*:Enabled:MP3 Skype Recorder -- (Alexander Nikiforov)

"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)

"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- File not found

"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- File not found

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)

"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}" = SonicStage Mastering Studio Audio Filter Custom Preset

"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Camera Window DS

"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support

"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0

"{0DF00135-D5A7-476A-BFB3-EDFF2840076A}" = VAIO Wireless Utility

"{15095BF3-A3D7-4DDF-B193-3A496881E003}" = Microsoft .NET Framework 3.0

"{1BEF9285-5530-426B-A5F1-5836B95C7EB1}" = VAIO Original Screen Saver

"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 4.0

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1F1C4668-7767-4109-9B5E-19AD056F2CA0}" = MP3 Skype Recorder

"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0

"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe

"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 19

"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver

"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005

"{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}" = Google Gears

"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration

"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works

"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36

"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 2

"{491DD792-AD81-429C-9EB4-86DD3D22E333}" = Windows Communication Foundation

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4E993095-28F2-4060-9101-99C1FD1195C0}" = VAIO Central

"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series

"{63AFACBC-4795-4A1B-8037-5085DC03FC54}" = Microsoft LifeCam

"{64ED36E0-5EEE-462B-A807-C547950B25E1}" = FRED

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin

"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore

"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 4.0

"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 4.2

"{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}" = Windows Workflow Foundation

"{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}" = ISScript

"{82081533-F045-469E-BD53-F16839E445C3}" = VAIO Support Central

"{849ABF1A-6AE3-45E1-B260-D5447B2F29F5}" = OpenMG Secure Module 4.2.00

"{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6}" = PhotoStitch

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile

"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr

"{9011040D-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{91249DB1-5E37-355D-94D6-F957031D8955}" = Google Talk Plugin

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for VAIO

"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML

"{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management

"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 3.2

"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime

"{A43F939E-A863-433D-AC78-0897E44CFEB2}" = VAIO Launcher

"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0

"{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}" = VAIO Media Registration Tool 4.0

"{B3B77C66-1553-4FFE-B044-53B179FBE0B6}" = SPSS 12.0 for Windows

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = RAW Image Task 2.2

"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation

"{BBFFB027-7D53-4E1B-95BC-35A2216D1D60}" = VAIO Long Battery Life Wallpaper

"{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH

"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype

OTL.Txt

[JSntgRvr]

Hi, Rotem

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
   
2. Close any open browsers.
   
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   

   -----------------------------------------------------------

   
   

   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
     
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     

     -----------------------------------------------------------

     
     

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]

• Copy the entire contents of the Quote Box below to Notepad.
  
• Name the file as CFScript.txt
  
• Change the Save as Type to All Files
  
• and Save it on the desktop
  

TDL::

C:\WINDOWS\system32\DRIVERS\cdrom.sys

File::

C:\WINDOWS\System32\srvryahm.ini

C:\WINDOWS\System32\WaKmWvut.ini2

C:\WINDOWS\System32\WaKmWvut.ini

C:\sqmdata00.sqm

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmdata05.sqm

C:\sqmdata06.sqm

C:\sqmdata07.sqm

C:\sqmdata08.sqm

C:\sqmdata09.sqm

C:\sqmdata10.sqm

C:\sqmdata11.sqm

C:\sqmdata12.sqm

C:\sqmdata13.sqm

C:\sqmdata14.sqm

C:\sqmdata15.sqm

C:\sqmdata16.sqm

C:\sqmdata17.sqm

C:\sqmdata18.sqm

C:\sqmdata19.sqm

C:\sqmnoopt00.sqm

C:\sqmnoopt01.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

C:\sqmnoopt06.sqm

C:\sqmnoopt07.sqm

C:\sqmnoopt08.sqm

C:\sqmnoopt09.sqm

C:\sqmnoopt10.sqm

C:\sqmnoopt11.sqm

C:\sqmnoopt12.sqm

C:\sqmnoopt13.sqm

C:\sqmnoopt14.sqm

C:\sqmnoopt15.sqm

C:\sqmnoopt16.sqm

C:\sqmnoopt17.sqm

C:\sqmnoopt18.sqm

C:\sqmnoopt19.sqm

C:\TDSSKiller.2.2.8.1_18.04.2010_11.35.24_log.txt

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe.

[*]Install the Recovery Console if prompted.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" .

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

[Rotem]

HI,

I ran Combofix. Before running it alerted that antivirus is turned on although I disabled it. After scanning the program couldn't find Microsoft Recovery Console and allowed installing it through the web. Following is the log:

ComboFix 10-04-18.04 - Laura Lash 04/19/2010 20:25:45.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.502.93 [GMT -4:00]

Running from: c:\documents and settings\Laura Lash\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Laura Lash\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"C:\sqmdata00.sqm"

"C:\sqmdata01.sqm"

"C:\sqmdata02.sqm"

"C:\sqmdata03.sqm"

"C:\sqmdata04.sqm"

"C:\sqmdata05.sqm"

"C:\sqmdata06.sqm"

"C:\sqmdata07.sqm"

"C:\sqmdata08.sqm"

"C:\sqmdata09.sqm"

"C:\sqmdata10.sqm"

"C:\sqmdata11.sqm"

"C:\sqmdata12.sqm"

"C:\sqmdata13.sqm"

"C:\sqmdata14.sqm"

"C:\sqmdata15.sqm"

"C:\sqmdata16.sqm"

"C:\sqmdata17.sqm"

"C:\sqmdata18.sqm"

"C:\sqmdata19.sqm"

"C:\sqmnoopt00.sqm"

"C:\sqmnoopt01.sqm"

"C:\sqmnoopt02.sqm"

"C:\sqmnoopt03.sqm"

"C:\sqmnoopt04.sqm"

"C:\sqmnoopt05.sqm"

"C:\sqmnoopt06.sqm"

"C:\sqmnoopt07.sqm"

"C:\sqmnoopt08.sqm"

"C:\sqmnoopt09.sqm"

"C:\sqmnoopt10.sqm"

"C:\sqmnoopt11.sqm"

"C:\sqmnoopt12.sqm"

"C:\sqmnoopt13.sqm"

"C:\sqmnoopt14.sqm"

"C:\sqmnoopt15.sqm"

"C:\sqmnoopt16.sqm"

"C:\sqmnoopt17.sqm"

"C:\sqmnoopt18.sqm"

"C:\sqmnoopt19.sqm"

"C:\TDSSKiller.2.2.8.1_18.04.2010_11.35.24_log.txt"

"c:\windows\System32\srvryahm.ini"

"c:\windows\System32\WaKmWvut.ini"

"c:\windows\System32\WaKmWvut.ini2"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\recycler\S-1-5-21-1486009817-77172607-3806689915-1003

c:\recycler\S-1-5-21-1644491937-1292428093-725345543-1003

c:\recycler\S-1-5-21-246832256-3006914963-493307199-1003

c:\recycler\S-1-5-21-3293920870-4118683337-1468059775-1003

c:\recycler\S-1-5-21-985225360-2529155770-2675299521-1003

C:\sqmdata00.sqm

C:\sqmdata01.sqm

C:\sqmdata02.sqm

C:\sqmdata03.sqm

C:\sqmdata04.sqm

C:\sqmdata05.sqm

C:\sqmdata06.sqm

C:\sqmdata07.sqm

C:\sqmdata08.sqm

C:\sqmdata09.sqm

C:\sqmdata10.sqm

C:\sqmdata11.sqm

C:\sqmdata12.sqm

C:\sqmdata13.sqm

C:\sqmdata14.sqm

C:\sqmdata15.sqm

C:\sqmdata16.sqm

C:\sqmdata17.sqm

C:\sqmdata18.sqm

C:\sqmdata19.sqm

C:\sqmnoopt00.sqm

C:\sqmnoopt01.sqm

C:\sqmnoopt02.sqm

C:\sqmnoopt03.sqm

C:\sqmnoopt04.sqm

C:\sqmnoopt05.sqm

C:\sqmnoopt06.sqm

C:\sqmnoopt07.sqm

C:\sqmnoopt08.sqm

C:\sqmnoopt09.sqm

C:\sqmnoopt10.sqm

C:\sqmnoopt11.sqm

C:\sqmnoopt12.sqm

C:\sqmnoopt13.sqm

C:\sqmnoopt14.sqm

C:\sqmnoopt15.sqm

C:\sqmnoopt16.sqm

C:\sqmnoopt17.sqm

C:\sqmnoopt18.sqm

C:\sqmnoopt19.sqm

C:\TDSSKiller.2.2.8.1_18.04.2010_11.35.24_log.txt

c:\windows\setup.exe

c:\windows\system32\drivers\oaiqqpuwwqdj.sys

c:\windows\system32\klgd.bmp

c:\windows\System32\srvryahm.ini

c:\windows\system32\WaKmWvut.ini

c:\windows\System32\WaKmWvut.ini2

Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected

Restored copy from - Kitty had a snack

Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected

Restored copy from - Kitty ate it

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected

Restored copy from - Kitty had a snack

Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected

Restored copy from - Kitty had a snack

Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected

Restored copy from - Kitty ate it

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected

Restored copy from - Kitty had a snack

Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected

Restored copy from - Kitty had a snack

Infected copy of c:\windows\system32\DRIVERS\cdrom.sys was found and disinfected

Restored copy from - Kitty ate it

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV.SYS

-------\Legacy_oaiqqpuwwqdj

-------\Service_oaiqqpuwwqdj

((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))

.

2010-04-18 00:21 . 2005-07-23 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterMute

2010-04-18 00:21 . 2005-07-23 00:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit

2010-04-18 00:21 . 2005-07-23 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec

2010-04-18 00:21 . 2005-07-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation

2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-04-02 21:04 . 2010-04-02 21:04 503808 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c87bf0b-n\msvcp71.dll

2010-04-02 21:04 . 2010-04-02 21:04 499712 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c87bf0b-n\jmc.dll

2010-04-02 21:04 . 2010-04-02 21:04 348160 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c87bf0b-n\msvcr71.dll

2010-04-02 21:03 . 2010-04-02 21:03 61440 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62cf12a9-n\decora-sse.dll

2010-04-02 21:03 . 2010-04-02 21:03 12800 ----a-w- c:\documents and settings\Laura Lash\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-62cf12a9-n\decora-d3d.dll

2010-04-02 17:40 . 2010-04-02 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\ZoomBrowser EX

2010-04-02 17:22 . 2010-04-02 17:22 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\CANON INC

2010-04-02 16:48 . 2010-04-02 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

2010-03-22 20:04 . 2010-03-22 20:04 255472 ----a-w- c:\documents and settings\Laura Lash\Application Data\Mozilla\plugins\npgoogletalk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-19 22:11 . 2010-04-19 22:11 46080 ----a-w- c:\windows\system32\fycwdn11.dll

2010-04-19 01:48 . 2009-03-06 02:40 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Spyware Terminator

2010-04-18 22:10 . 2007-09-06 19:56 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Skype

2010-04-18 20:07 . 2008-11-18 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\skypePM

2010-04-18 19:11 . 2010-04-18 13:23 -------- d-----w- c:\program files\Sophos

2010-04-18 18:48 . 2010-04-17 15:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-18 18:38 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-17 16:34 . 2008-11-26 18:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-04-17 13:29 . 2010-04-17 13:29 53512 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-04-17 13:29 . 2010-04-17 13:29 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys

2010-04-17 13:29 . 2010-04-17 13:29 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-04-16 00:24 . 2009-03-06 02:39 -------- d-----w- c:\program files\Spyware Terminator

2010-04-14 22:50 . 2008-07-09 10:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Sony Corporation

2010-04-14 04:24 . 2009-11-10 21:38 69080 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-11 22:42 . 2005-10-25 17:36 84888 ----a-w- c:\documents and settings\Laura Lash\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-08 00:07 . 2009-03-06 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2010-04-07 23:25 . 2006-06-12 16:08 -------- d-----w- c:\program files\TVU Player

2010-04-07 22:21 . 2009-03-06 02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-07 22:21 . 2009-12-27 01:40 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-06 03:30 . 2009-06-30 03:40 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-04-05 22:29 . 2010-04-05 22:29 -------- d-----w- c:\program files\CCleaner

2010-04-03 05:10 . 2010-04-02 16:44 174360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-02 21:07 . 2007-12-22 13:41 -------- d-----w- c:\program files\Common Files\Java

2010-04-02 21:02 . 2005-07-13 20:08 -------- d-----w- c:\program files\Java

2010-04-02 16:54 . 2006-10-07 10:07 -------- d-----w- c:\program files\Canon

2010-04-02 16:44 . 2010-04-02 16:44 -------- d-----w- c:\program files\MSBuild

2010-04-02 16:36 . 2010-04-02 16:36 -------- d-----w- c:\program files\Reference Assemblies

2010-04-02 16:27 . 2010-04-02 16:25 -------- d-----w- c:\program files\Common Files\Canon

2010-03-30 04:46 . 2009-03-06 02:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-03-06 02:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-10 06:15 . 2005-07-13 17:55 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 08:28 . 2008-12-22 14:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-06 00:37 . 2005-07-13 20:38 -------- d-----w- c:\program files\Google

2010-02-28 18:00 . 2009-06-25 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-02-25 06:24 . 2005-07-13 17:55 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2005-07-13 17:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 13:10 . 2005-07-13 17:55 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2005-07-13 17:55 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2005-07-13 17:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

2010-01-20 16:49 . 2010-01-20 16:49 375162 ----a-r- c:\documents and settings\Laura Lash\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_62C7126616B954B0A3B534.exe

2010-01-20 16:49 . 2010-01-20 16:49 375162 ----a-r- c:\documents and settings\Laura Lash\Application Data\Microsoft\Installer\{1F1C4668-7767-4109-9B5E-19AD056F2CA0}\_0F7A346F42AC9EA04D958A.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92109E9C-D153-4288-B749-6BB009EFC319}]

2010-04-19 22:11 46080 ----a-w- c:\windows\system32\fycwdn11.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"Google Update"="c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]

"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]

"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-06 524632]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=

"c:\\Program Files\\TVU Player\\TVUPlayer.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 11:28 PM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/1/2008 8:16 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/1/2008 8:16 PM 108552]

R1 NEOFLTR_620_13873;Juniper Networks TDI Filter Driver (NEOFLTR_620_13873);c:\windows\system32\drivers\NEOFLTR_620_13873.sys [1/21/2009 12:19 AM 64480]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/5/2009 10:40 PM 142592]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/1/2008 8:15 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/1/2008 8:15 PM 297752]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2009 1:23 AM 135664]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1C.tmp --> c:\windows\system32\1C.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC5738BF-72C3-416F-9D09-24A21222BE58}]

2010-04-19 22:11 46080 ----a-w- c:\windows\system32\fycwdn11.dll

.

Contents of the 'Scheduled Tasks' folder

2010-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:31]

2010-04-20 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-11-28 00:44]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006Core.job

- c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31]

2010-04-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006UA.job

- c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31]

2009-08-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job

- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-05-17 18:45]

2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{75592AFF-04B7-4574-8F6E-924C201D398F}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} - hxxp://www.bezeqint.net/Friendly/email_bezeqint/fwTechTool2.cab

FF - ProfilePath - c:\documents and settings\Laura Lash\Application Data\Mozilla\Firefox\Profiles\xpx3npyu.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll

FF - plugin: c:\documents and settings\Laura Lash\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

BHO-{3E37A704-600E-4E73-80CB-94250C8A4F3E} - (no file)

Notify-qoMfcBSK - qoMfcBSK.dll

SafeBoot-klmdb.sys

AddRemove-TVUPlayer - c:\program files\TVU Player\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-19 20:48

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\1C.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(300)

c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(744)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Spyware Terminator\sp_rsser.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\igfxext.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

c:\program files\Apoint\Apntex.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\rundll32.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

.

**************************************************************************

.

Completion time: 2010-04-19 21:00:28 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-20 01:00

Pre-Run: 14,051,471,360 bytes free

Post-Run: 14,322,786,304 bytes free

- - End Of File - - 4248B23837C667DA30FCAB2A28993C90

How bad does this look like?

Rotem

[JSntgRvr]

Please run GMER once again and post its report.

• Copy the entire contents of the Quote Box below to Notepad.
  
• Name the file as CFScript.txt
  
• Change the Save as Type to All Files
  
• and Save it on the desktop
  

File::

c:\windows\system32\fycwdn11.dll

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92109E9C-D153-4288-B749-6BB009EFC319}]

Driver::

MEMSWEEP2

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

[Rotem]

Hi there,

following are the logs:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-20 10:31:02

Windows 5.1.2600 Service Pack 3

Running: 9fr5if1s.exe; Driver: C:\DOCUME~1\LAURAL~1\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF866487E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8664BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_620_13873.SYS (NetBIOS Redirector/Juniper Networks)

---- EOF - GMER 1.0.15 ----

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 10-04-19.05 - Laura Lash 04/20/2010 10:56:57.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1255.972.1033.18.502.143 [GMT -4:00]

Running from: c:\documents and settings\Laura Lash\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Laura Lash\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\fycwdn11.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\fycwdn11.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MEMSWEEP2

-------\Service_MEMSWEEP2

((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 )))))))))))))))))))))))))))))))

.

2010-04-18 00:21 . 2005-07-23 01:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterMute

2010-04-18 00:21 . 2005-07-23 00:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit

2010-04-18 00:21 . 2005-07-23 00:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec

2010-04-18 00:21 . 2005-07-23 00:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sony Corporation

2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-04-02 17:40 . 2010-04-02 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\ZoomBrowser EX

2010-04-02 17:22 . 2010-04-02 17:22 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\CANON INC

2010-04-02 16:48 . 2010-04-02 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-19 01:48 . 2009-03-06 02:40 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Spyware Terminator

2010-04-18 22:10 . 2007-09-06 19:56 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\Skype

2010-04-18 20:07 . 2008-11-18 17:46 -------- d-----w- c:\documents and settings\Laura Lash\Application Data\skypePM

2010-04-18 19:11 . 2010-04-18 13:23 -------- d-----w- c:\program files\Sophos

2010-04-18 18:48 . 2010-04-17 15:31 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-18 18:38 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-17 16:34 . 2008-11-26 18:55 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-04-17 15:30 . 2010-04-17 15:30 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-04-17 13:29 . 2010-04-17 13:29 53512 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-04-17 13:29 . 2010-04-17 13:29 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys

2010-04-17 13:29 . 2010-04-17 13:29 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-04-16 00:24 . 2009-03-06 02:39 -------- d-----w- c:\program files\Spyware Terminator

2010-04-14 22:50 . 2008-07-09 10:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Sony Corporation

2010-04-14 04:24 . 2009-11-10 21:38 69080 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-11 22:42 . 2005-10-25 17:36 84888 ----a-w- c:\documents and settings\Laura Lash\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-08 00:07 . 2009-03-06 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator

2010-04-07 23:25 . 2006-06-12 16:08 -------- d-----w- c:\program files\TVU Player

2010-04-07 22:21 . 2009-03-06 02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-05 22:29 . 2010-04-05 22:29 -------- d-----w- c:\program files\CCleaner

2010-04-03 05:10 . 2010-04-02 16:44 174360 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-02 21:07 . 2007-12-22 13:41 -------- d-----w- c:\program files\Common Files\Java

2010-04-02 21:02 . 2005-07-13 20:08 -------- d-----w- c:\program files\Java

2010-04-02 16:54 . 2006-10-07 10:07 -------- d-----w- c:\program files\Canon

2010-04-02 16:44 . 2010-04-02 16:44 -------- d-----w- c:\program files\MSBuild

2010-04-02 16:36 . 2010-04-02 16:36 -------- d-----w- c:\program files\Reference Assemblies

2010-04-02 16:27 . 2010-04-02 16:25 -------- d-----w- c:\program files\Common Files\Canon

2010-03-30 04:46 . 2009-03-06 02:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 04:45 . 2009-03-06 02:21 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-10 06:15 . 2005-07-13 17:55 420352 ----a-w- c:\windows\system32\vbscript.dll

2010-03-09 08:28 . 2008-12-22 14:56 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-06 00:37 . 2005-07-13 20:38 -------- d-----w- c:\program files\Google

2010-02-28 18:00 . 2009-06-25 12:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-02-25 06:24 . 2005-07-13 17:55 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-24 13:11 . 2005-07-13 17:55 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr

2010-02-17 13:10 . 2005-07-13 17:55 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33 . 2005-07-13 17:55 100864 ----a-w- c:\windows\system32\6to4svc.dll

2010-02-11 12:02 . 2005-07-13 17:55 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"Google Update"="c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-24 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]

"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]

"RTHDCPL"="RTHDCPL.EXE" [2005-06-29 14720000]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]

"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]

"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]

"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]

"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]

"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-08-09 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-09 6746112]

"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-18 2046816]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-04-06 524632]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 14:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2005-05-21 00:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=

"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=

"c:\\Program Files\\TVU Player\\TVUPlayer.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\Laura Lash\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MP3 Skype Recorder\\MP3 Skype Recorder.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 11:28 PM 64160]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/1/2008 8:16 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/1/2008 8:16 PM 108552]

R1 NEOFLTR_620_13873;Juniper Networks TDI Filter Driver (NEOFLTR_620_13873);c:\windows\system32\drivers\NEOFLTR_620_13873.sys [1/21/2009 12:19 AM 64480]

R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [3/5/2009 10:40 PM 142592]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [12/1/2008 8:15 PM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [12/1/2008 8:15 PM 297752]

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/10/2009 1:23 AM 135664]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]

S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

.

Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 03:31]

2010-04-20 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-11-28 00:44]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-10 05:22]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006Core.job

- c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31]

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2133393807-1933545232-816708033-1006UA.job

- c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-24 02:31]

2009-08-28 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job

- c:\program files\Microsoft LifeCam\LifeExp.exe [2007-05-17 18:45]

2010-04-20 c:\windows\Tasks\User_Feed_Synchronization-{75592AFF-04B7-4574-8F6E-924C201D398F}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab

DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} - hxxp://www.bezeqint.net/Friendly/email_bezeqint/fwTechTool2.cab

FF - ProfilePath - c:\documents and settings\Laura Lash\Application Data\Mozilla\Firefox\Profiles\xpx3npyu.default\

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll

FF - plugin: c:\documents and settings\Laura Lash\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\Laura Lash\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

ActiveSetup-{EC5738BF-72C3-416F-9D09-24A21222BE58} - fycwdn11.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-20 11:19

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1668)

c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(3784)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Microsoft LifeCam\MSCamS32.exe

c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Spyware Terminator\sp_rsser.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe

c:\program files\Apoint\Apntex.exe

c:\windows\RTHDCPL.EXE

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-04-20 11:32:43 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-20 15:32

ComboFix2.txt 2010-04-20 01:00

Pre-Run: 14,323,347,456 bytes free

Post-Run: 14,288,551,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /PAE

- - End Of File - - 090D87EFDE8F650EE3B75BA75386FD89

[JSntgRvr]

The logs look clear. How is the computer doing?

[Rotem]

HI,

Although the AVG anti-virus notified me about the trojan SHeur3.SAZ a while ago, the computer works much better. No windows pop-out with weird websites. I can tell that the main problem was fixed.

What do you think I should do about this trojan?

Rotem

[JSntgRvr]

HI,

Although the AVG anti-virus notified me about the trojan SHeur3.SAZ a while ago, the computer works much better. No windows pop-out with weird websites. I can tell that the main problem was fixed.

What do you think I should do about this trojan?

Rotem

There is no reference to the trojan SHeur3.SAZ. Any file and location included?

Lets scan for remnants:

• Launch and Update Malwarebytes' Anti-Malware.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please run the F-Secure Online Scanner

• For information click Here.
  
• Allow the installation of the Add-ons and Accept the License Agreement.
  
• Click Full System Scan
  
• Once the download completes,the scan will begin automatically.
  
• The scan will take some time to finish,so please be patient.
  
• When the scan completes, click the Automatic cleaning (recommended) button.
  
• Click the Show Report button and Copy&Paste the entire report in your next reply.
  

[Rotem]

Hi,

The MBAM quick scan came out clean. However the F-secure full scan found that 6 files are infected, 2 were healed.

Following are the logs:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 4014

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/20/2010 10:37:06 PM

mbam-log-2010-04-20 (22-37-06).txt

Scan type: Quick scan

Objects scanned: 114900

Time elapsed: 16 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

--------------------------------------------------------------------------------------------

Scanning Report

Wednesday, April 21, 2010 23:01:03 - 08:54:53

Computer name: LASH

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

6 malware found

Suspicious:W32/Malware!Gemini (spyware)

* System (Disinfected)

Trojan:INI/Vundo.gen!F (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{E28BBD50-0570-405B-9B46-4310F2CE5171}\RP1373\A1114978.INI (Renamed & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\COMMON FILES\AVSMEDIA\MOBILEUPLOADER\UPLOADER.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\AVSMEDIA\VIDEOTOOLS\VIDEOCONVERTER\CAPTUREWIZARD.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\AVSMEDIA\VIDEOTOOLS\VIDEOCONVERTER\REGISTRATION.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\AVSMEDIA\DISCCREATOR\DISCCREATOR.EXE (Not cleaned)

Statistics

Scanned:

* Files: 47786

* System: 4681

* Not scanned: 8

Actions:

* Disinfected: 1

* Renamed: 1

* Deleted: 0

* Not cleaned: 4

* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS

* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

* C:\WINDOWS\SYSTEM32\CONFIG\SAM

* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* C:\DOCUMENTS AND SETTINGS\LAURA LASH\LOCAL SETTINGS\TEMP\HSPERFDATA_LAURA LASH\5800

* C:\DOCUMENTS AND SETTINGS\LAURA LASH\LOCAL SETTINGS\TEMP\HSPERFDATA_LAURA LASH\1480

Options

Scanning engines:

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

* Use advanced heuristics

Copyright

[JSntgRvr]

Only Suspicious Files. I wouldn't worry about these.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

• Rename Combofix to Uninstall and click on it. That should remove the application.
  

Launch OTL and click on the Cleanup button. Follow the prompts.

Manually remove any tool left.

Create a Restore point:

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
   
2. In the System Restore dialog box, click Create a restore point, and then click Next.
   
3. Type a description for your restore point, such as "After Cleanup", then click Create.
   

How is the computer doing?

[Rotem]

The computer works well. I removed the tools. so far it looks good.

I appreciate your help !

Rotem

[Rotem]

what about the GMER, how should I uninstall it?

R

[JSntgRvr]

what about the GMER, how should I uninstall it?

Right click on it and select Delete.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
   
5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
   
6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
   

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

[Rotem]

Thank a lot for helping !!!

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!