thebign28407
2008-05-19, 05:40
Have noticed some new processes and it seems i have a real issue. Since this began my administrator windows login is not present upon restart and there are many internet only logins that are password protected. I have no idea what this means or how bad it is. These are the files i see that are the issue.
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wserving.exe
these and a perfsmon.exe
I just ran combofix and here is the log
I also have HJT and SDfix ready to run if needed
It seems like the same issues i read here (this is how i found the site and registered)
http://forums.spybot.info/showthread.php?p=187900
ComboFix 08-05-15.3 - Administrator 2008-05-18 22:19:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.330 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\programs\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\A.tmp
C:\B.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
C:\Documents and Settings\Administrator\Application Data\PPATCH~1
C:\Documents and Settings\Administrator\Application Data\PPATCH~1\??pPatch\
C:\Documents and Settings\Administrator\Application Data\YMBOLS~1
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drmgs.sys
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\WServing.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_Routing
-------\Service_WServing
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-15 20:33 . 2008-05-15 20:33 <DIR> d-------- C:\Documents and Settings\IUser_2011
2008-05-15 20:33 . 2008-05-18 22:17 1,024 --ah----- C:\Documents and Settings\IUser_2011\ntuser.dat.LOG
2008-05-15 20:02 . 2008-05-15 20:02 <DIR> d-------- C:\Documents and Settings\fuc
2008-05-15 20:02 . 2008-05-18 22:17 1,024 --ah----- C:\Documents and Settings\fuc\ntuser.dat.LOG
2008-05-15 20:01 . 2008-05-15 20:01 <DIR> d-------- C:\Documents and Settings\Guest
2008-05-15 20:01 . 2008-05-18 22:17 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-11 01:03 . 2008-05-11 01:03 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-05-02 20:28 . 2008-05-17 19:32 77 --a------ C:\WINDOWS\lsoon.ini
2008-05-02 17:57 . 2008-05-17 19:30 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-05-02 17:57 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-05-02 17:56 . 2008-05-02 17:56 <DIR> d-------- C:\Program Files\Greatis
2008-05-02 17:56 . 2008-05-02 17:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Regrun
2008-05-02 17:56 . 2008-05-17 19:32 <DIR> d-------- C:\backreg
2008-05-02 17:56 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-04-25 23:57 . 2008-04-25 23:57 210 --a------ C:\WINDOWS\MicroSoft.vbs
2008-04-24 22:40 . 2008-04-24 22:40 2,576 --a------ C:\WINDOWS\system32\settings.aaw
2008-04-24 22:40 . 2008-04-24 22:40 1,712 --a------ C:\WINDOWS\system32\history.aaw
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 01:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-10 20:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-05-02 21:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-19 19:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2005-08-21 23:44 36 ----a-w C:\Documents and Settings\Administrator\klextlock.dat
.
------- Sigcheck -------
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [2007-06-04 13:02 32768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.XVID"= xvid.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cklqrtc]
C:\Documents and Settings\Administrator\My Documents\??sks\?srss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
--------- 2007-06-07 15:01 155648 C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-02-10 11:51 118784 C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-02-10 11:55 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule2]
C:\Program Files\ISM\ISMModule2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orss]
C:\DOCUME~1\ADMINI~1\APPLIC~1\PPATCH~1\dexplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 01:13 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-27 19:47 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0350Mon.exe]
-ra------ 2007-06-04 13:02 32768 C:\WINDOWS\V0350Mon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Routing"=2 (0x2)
"AFinding"=2 (0x2)
"KodakCCS"=2 (0x2)
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 Partizan;Partizan;C:\WINDOWS\System32\drivers\Partizan.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\System32\drivers\av5flt.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\System32\Drivers\regguard.sys [2008-05-17 19:30]
S3 VF0350Afx;VF0350 Audio FX;C:\WINDOWS\System32\Drivers\V0350Afx.sys [2007-06-10 13:01]
S3 VF0350Vfx;VF0350 Video FX;C:\WINDOWS\System32\DRIVERS\V0350VFx.sys [2007-03-05 06:45]
S3 VF0350Vid;Live! Cam Video IM (VF0350);C:\WINDOWS\System32\DRIVERS\V0350Vid.sys [2007-05-10 13:02]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 22:20:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-18 22:22:45
ComboFix-quarantined-files.txt 2008-05-19 02:22:17
Pre-Run: 6,648,741,888 bytes free
Post-Run: 6,634,180,608 bytes free
159
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wserving.exe
these and a perfsmon.exe
I just ran combofix and here is the log
I also have HJT and SDfix ready to run if needed
It seems like the same issues i read here (this is how i found the site and registered)
http://forums.spybot.info/showthread.php?p=187900
ComboFix 08-05-15.3 - Administrator 2008-05-18 22:19:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.330 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\programs\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\A.tmp
C:\B.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe
C:\Documents and Settings\Administrator\Application Data\PPATCH~1
C:\Documents and Settings\Administrator\Application Data\PPATCH~1\??pPatch\
C:\Documents and Settings\Administrator\Application Data\YMBOLS~1
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drmgs.sys
C:\windows\system32\explorer.exe
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\mp43.exe
C:\WINDOWS\system32\WServing.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_Routing
-------\Service_WServing
((((((((((((((((((((((((( Files Created from 2008-04-19 to 2008-05-19 )))))))))))))))))))))))))))))))
.
2008-05-15 20:33 . 2008-05-15 20:33 <DIR> d-------- C:\Documents and Settings\IUser_2011
2008-05-15 20:33 . 2008-05-18 22:17 1,024 --ah----- C:\Documents and Settings\IUser_2011\ntuser.dat.LOG
2008-05-15 20:02 . 2008-05-15 20:02 <DIR> d-------- C:\Documents and Settings\fuc
2008-05-15 20:02 . 2008-05-18 22:17 1,024 --ah----- C:\Documents and Settings\fuc\ntuser.dat.LOG
2008-05-15 20:01 . 2008-05-15 20:01 <DIR> d-------- C:\Documents and Settings\Guest
2008-05-15 20:01 . 2008-05-18 22:17 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-11 01:03 . 2008-05-11 01:03 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-05-02 20:28 . 2008-05-17 19:32 77 --a------ C:\WINDOWS\lsoon.ini
2008-05-02 17:57 . 2008-05-17 19:30 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-05-02 17:57 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-05-02 17:56 . 2008-05-02 17:56 <DIR> d-------- C:\Program Files\Greatis
2008-05-02 17:56 . 2008-05-02 17:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Regrun
2008-05-02 17:56 . 2008-05-17 19:32 <DIR> d-------- C:\backreg
2008-05-02 17:56 . 2003-09-06 15:55 57,556 --a------ C:\WINDOWS\guard.bmp
2008-04-25 23:57 . 2008-04-25 23:57 210 --a------ C:\WINDOWS\MicroSoft.vbs
2008-04-24 22:40 . 2008-04-24 22:40 2,576 --a------ C:\WINDOWS\system32\settings.aaw
2008-04-24 22:40 . 2008-04-24 22:40 1,712 --a------ C:\WINDOWS\system32\history.aaw
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 01:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2008-05-10 20:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-05-02 21:11 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-19 19:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Media Player Classic
2005-08-21 23:44 36 ----a-w C:\Documents and Settings\Administrator\klextlock.dat
.
------- Sigcheck -------
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"V0350Mon.exe"="C:\WINDOWS\V0350Mon.exe" [2007-06-04 13:02 32768]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= DivXa32.acm
"vidc.XVID"= xvid.dll
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cklqrtc]
C:\Documents and Settings\Administrator\My Documents\??sks\?srss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
--------- 2007-06-07 15:01 155648 C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-04-03 18:29 165784 C:\Program Files\DAEMON Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-02-10 11:51 118784 C:\WINDOWS\System32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IESet]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-02-10 11:55 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule2]
C:\Program Files\ISM\ISMModule2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orss]
C:\DOCUME~1\ADMINI~1\APPLIC~1\PPATCH~1\dexplore.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-11-28 01:13 155648 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-06-03 03:52 36975 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-27 19:47 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0350Mon.exe]
-ra------ 2007-06-04 13:02 32768 C:\WINDOWS\V0350Mon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
C:\PROGRA~1\Zone Labs\ZoneAlarm\zapro.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Routing"=2 (0x2)
"AFinding"=2 (0x2)
"KodakCCS"=2 (0x2)
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S0 Partizan;Partizan;C:\WINDOWS\System32\drivers\Partizan.sys []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\System32\drivers\av5flt.sys []
S3 RegGuard;RegGuard;C:\WINDOWS\System32\Drivers\regguard.sys [2008-05-17 19:30]
S3 VF0350Afx;VF0350 Audio FX;C:\WINDOWS\System32\Drivers\V0350Afx.sys [2007-06-10 13:01]
S3 VF0350Vfx;VF0350 Video FX;C:\WINDOWS\System32\DRIVERS\V0350VFx.sys [2007-03-05 06:45]
S3 VF0350Vid;Live! Cam Video IM (VF0350);C:\WINDOWS\System32\DRIVERS\V0350Vid.sys [2007-05-10 13:02]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 22:20:49
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-18 22:22:45
ComboFix-quarantined-files.txt 2008-05-19 02:22:17
Pre-Run: 6,648,741,888 bytes free
Post-Run: 6,634,180,608 bytes free
159