View Full Version : malware infected laptop
yukukuhi
2009-03-24, 14:11
Hi pskelley, shaba, katana or whoever there,
My laptop is infected with malwares. Please Help. Please Reply And Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:07 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Documents and Settings\Shiva\Application Data\U3\00001855E8606999\LaunchPad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 72.245.136.163 lcpa002 lcpa002.leadingc.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163548670578
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
--
End of file - 9911 bytes
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
What problems are you having ?
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
yukukuhi
2009-03-26, 12:34
Logfile of random's system information tool 1.05 (written by random/random)
Run by Shiva at 2009-03-26 12:49:31
Microsoft Windows XP Professional Service Pack 2
System drive C: has 829 MB (1%) free of 71 GB
Total RAM: 510 MB (43% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:01 PM, on 3/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Shiva\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Shiva.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 72.245.136.163 lcpa002 lcpa002.leadingc.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163548670578
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
--
End of file - 9959 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar4.dll [2007-01-20 2403392]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-07-13 325048]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}]
NavHelper Class - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll [2003-07-28 135168]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar4.dll [2007-01-20 2403392]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-02-18 5406720]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-06-29 180269]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2004-10-14 131072]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 225280]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-11-04 483328]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
""= []
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 237568]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-13 68856]
"AlcoholAutomount"=C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [2008-08-26 4608]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\daemon.exe [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcFDMonitor]
C:\WINDOWS\ALCFDRTM.EXE []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint\Apoint.exe [2003-11-08 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
C:\WINDOWS\system32\bthprops.cpl [2004-08-04 110592]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe [2004-07-16 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
C:\WINDOWS\p_981116.exe [1998-12-01 497376]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2005-02-23 126976]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [2005-07-23 176128]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2005-02-23 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
C:\Program Files\Sony\ISB Utility\ISBMgr.exe [2004-02-21 32768]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]
ICO.EXE []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1763840]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2005-02-18 5406720]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-11-04 483328]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe [2005-01-15 184320]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe [2005-01-25 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0\bin\jusched.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-13 68856]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe [2005-01-21 167936]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-06-29 180269]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8 -reboot 1 []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe [2003-04-20 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe [2005-01-15 151552]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Winamp\winampa.exe [2006-06-21 35328]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE [2006-10-23 117872]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE [2006-10-23 734872]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2005-03-17 187392]
C:\Documents and Settings\Shiva\Start Menu\Programs\Startup
Screen Saver Control.lnk - C:\WINDOWS\FSScrCtl.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-02-23 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\VESWinlogon]
C:\WINDOWS\system32\VESWinlogon.dll [2005-01-19 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-16 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-19 133632]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
"DisableTaskMgr"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableLUA"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE"="C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE:*:Enabled:Microsoft Office Excel"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\iTunes\iTunes.exe"="C:\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\Sony\VAIO Media 4.0\Vc.exe"="C:\Program Files\Sony\VAIO Media 4.0\Vc.exe:*:Disabled:[VAIO Media] VAIO Media"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe"="C:\Program Files\SAP\FrontEnd\SAPgui\saplogon.exe:*:Enabled:SAP Logon for Windows"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"G:\yqylvn.exe"="G:\yqylvn.exe:*:Enabled:ipsec"
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe:*:Enabled:ipsec"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:ipsec"
"C:\WINDOWS\system32\NeroCheck.exe"="C:\WINDOWS\system32\NeroCheck.exe:*:Enabled:ipsec"
"C:\WINDOWS\system32\wscntfy.exe"="C:\WINDOWS\system32\wscntfy.exe:*:Enabled:ipsec"
"C:\WINDOWS\ALCMTR.EXE"="C:\WINDOWS\ALCMTR.EXE:*:Enabled:ipsec"
"C:\WINDOWS\system32\userinit.exe"="C:\WINDOWS\system32\userinit.exe:*:Enabled:ipsec"
"C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.bin"="C:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.bin:*:Enabled:ipsec"
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe:*:Enabled:ipsec"
"C:\Program Files\DAEMON Tools Lite\daemon.exe"="C:\Program Files\DAEMON Tools Lite\daemon.exe:*:Enabled:ipsec"
"C:\Program Files\Real\RealPlayer\RealPlay.exe"="C:\Program Files\Real\RealPlayer\RealPlay.exe:*:Enabled:ipsec"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1356a7d6-17b7-11de-8bec-0013ce0543f8}]
shell\AUtOpLAY\command - G:\yqylvn.exe
shell\AutoRun\command - G:\yqylvn.exe
shell\ExpLorE\command - G:\yqylvn.exe
shell\opEn\command - G:\yqylvn.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea9c8f28-e84a-11dc-898e-00014a829daa}]
shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea9c8f29-e84a-11dc-898e-00014a829daa}]
shell\AutoplAy\command - S:\aoad.pif
shell\AutoRun\command - S:\aoad.pif
shell\exPLoRE\command - S:\aoad.pif
shell\OPEn\command - S:\aoad.pif
======List of files/folders created in the last 1 months======
2009-03-26 12:49:31 ----D---- C:\rsit
2009-03-15 16:11:22 ----D---- C:\Documents and Settings\All Users\Application Data\Avg7
2009-03-12 20:32:07 ----D---- C:\Program Files\VirtualDub-1.8.8
2009-03-12 20:25:12 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest
2009-03-12 20:25:12 ----A---- C:\WINDOWS\system32\ff_vfw.dll
2009-03-12 20:25:11 ----D---- C:\Program Files\ffdshow
2009-03-12 20:18:38 ----A---- C:\Program Files\AMVapp-uninst.exe
2009-03-04 20:25:07 ----D---- C:\Program Files\GordianKnot
======List of files/folders modified in the last 1 months======
2009-03-26 12:49:33 ----D---- C:\WINDOWS\Prefetch
2009-03-26 12:48:34 ----D---- C:\WINDOWS\system32\drivers
2009-03-26 12:45:43 ----D---- C:\WINDOWS\Temp
2009-03-26 12:44:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-26 12:41:28 ----D---- C:\Documents and Settings\Shiva\Application Data\U3
2009-03-25 17:52:15 ----DC---- C:\WINDOWS\system32\dllcache
2009-03-25 17:52:10 ----D---- C:\WINDOWS\system32
2009-03-25 17:52:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-24 09:35:18 ----D---- C:\WINDOWS
2009-03-24 09:30:19 ----A---- C:\WINDOWS\DUMP7213.tmp
2009-03-24 09:13:36 ----A---- C:\WINDOWS\NeroDigital.ini
2009-03-23 20:04:27 ----A---- C:\WINDOWS\system.ini
2009-03-21 16:27:13 ----D---- C:\Documents and Settings\Shiva\Application Data\VideoReDo-TVSuite
2009-03-21 16:22:11 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-17 18:52:35 ----D---- C:\Program Files\MKVtoolnix
2009-03-15 16:53:13 ----D---- C:\Documents and Settings\Shiva\Application Data\Adobe
2009-03-15 16:51:16 ----SHD---- C:\WINDOWS\Installer
2009-03-15 16:49:15 ----D---- C:\Program Files\Common Files\Adobe
2009-03-15 16:49:15 ----D---- C:\Program Files\Adobe
2009-03-15 16:49:15 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-15 16:43:42 ----RD---- C:\Program Files
2009-03-15 16:11:22 ----D---- C:\Program Files\Grisoft
2009-03-15 16:11:13 ----D---- C:\WINDOWS\system
2009-03-15 16:09:57 ----D---- C:\Documents and Settings\All Users\Application Data\Grisoft
2009-03-14 20:08:02 ----HD---- C:\WINDOWS\inf
2009-03-12 20:18:38 ----D---- C:\Program Files\AMVapp
2009-03-12 20:18:33 ----A---- C:\WINDOWS\system32\uninstHelixYUV.exe
2009-03-12 20:17:29 ----D---- C:\Program Files\AviSynth 2.5
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [1999-09-10 25244]
R1 DMICall;Sony DMI Call service; C:\WINDOWS\system32\DRIVERS\DMICall.sys [2000-12-06 3952]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-28 36096]
R2 BCMNTIO;BCMNTIO; \??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys []
R2 MAPMEM;MAPMEM; \??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys []
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-18 13059]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2004-10-16 11354]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2003-09-30 94601]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 asc3360pr;asc3360pr; \??\C:\WINDOWS\system32\drivers\mjoklv.sys []
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-04 14080]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-13 137728]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2004-09-09 1041536]
R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2004-09-09 161024]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2004-11-04 2301568]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-02-18 3298144]
R3 SNC;Sony Notebook Control Device; C:\WINDOWS\System32\Drivers\SonyNC.sys [2000-11-10 48896]
R3 SPI;Sony Programmable I/O Control Device; C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2003-06-19 71961]
R3 tifmsony;tifmsony; C:\WINDOWS\system32\drivers\tifmsony.sys [2005-01-07 52736]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2004-10-30 3222784]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2004-09-09 685184]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2004-07-22 256568]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S2 DS1410D;DS1410D; \??\C:\WINDOWS\system32\drivers\ds1410d.sys []
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2004-08-04 48128]
S3 aa3r5ike;aa3r5ike; C:\WINDOWS\system32\drivers\aa3r5ike.sys []
S3 ag7hwdsf;ag7hwdsf; C:\WINDOWS\system32\drivers\ag7hwdsf.sys []
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2004-08-04 38912]
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-04 17024]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-04 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2004-08-04 274304]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-04 18944]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 CE3;Xircom Ethernet Adapter 10/100 Service; C:\WINDOWS\system32\DRIVERS\ce3n5.sys [2001-08-17 27164]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2003-05-02 5220]
S3 DCamUSBSony4;Sony Visual Communication Camera; C:\WINDOWS\system32\DRIVERS\snyucam4.sys [2003-01-17 424127]
S3 DCamUSBSonyA4;Sony USB Microphone; C:\WINDOWS\system32\drivers\snyuflt4.sys [2003-01-17 6019]
S3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-08-20 154112]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-18 9600]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-02-23 807742]
S3 mlnxfltr;mlnxfltr; C:\WINDOWS\system32\drivers\mlnxfltr.sys [2004-07-22 9984]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-18 12160]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2004-08-04 51328]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 MultiLINX;MultiLINX; C:\WINDOWS\system32\drivers\mltlnx.sys [2004-07-22 11811]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-04 59648]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2004-08-04 59264]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S3 w200bus;Sony Ericsson W200 driver (WDM); C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 86368]
S3 wlluc48;Wireless LAN PC Card Driver; C:\WINDOWS\system32\DRIVERS\wlluc48.sys [2004-08-04 154624]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 EvtEng;EvtEng; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2004-10-22 86016]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-02-18 127043]
R2 RegSrvc;RegSrvc; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2004-10-22 139264]
R2 S24EventMonitor;Spectrum24 Event Monitor; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2004-10-22 360521]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
R2 VAIO Event Service;VAIO Event Service; C:\Program Files\Sony\VAIO Event Service\VESMgr.exe [2005-01-22 150528]
R2 VzCdbSvc;VAIO Entertainment Database Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe [2005-03-05 131072]
R2 VzFw;VAIO Entertainment File Import Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe [2005-03-05 118784]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
R3 VAIO Entertainment Aggregation and Control Service;VAIO Entertainment Aggregation and Control Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe [2005-02-09 143360]
R3 Vcsw;VAIO Entertainment UPnP Client Adapter; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe [2005-03-05 278528]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-02-21 146432]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-28 207800]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 143360]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment; C:\Program Files\Sony\Image Converter 2\IcVzMon.exe [2005-02-15 32768]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2005-01-27 122969]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 166960]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2005-01-27 127065]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2005-01-27 147542]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2005-01-25 139264]
S3 VAIO Entertainment Task Scheduler;VAIO Entertainment Task Scheduler; C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe [2005-02-11 397312]
S3 VAIO Entertainment TV Device Arbitration Service;VAIO Entertainment TV Device Arbitration Service; C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe [2005-03-05 151552]
S3 VAIOMediaPlatform-IntegratedServer-AppServer;VAIO Media Integrated Server; C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe [2005-01-15 1839104]
S3 VAIOMediaPlatform-IntegratedServer-HTTP;VAIO Media Integrated Server (HTTP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2005-01-15 57344]
S3 VAIOMediaPlatform-IntegratedServer-UPnP;VAIO Media Integrated Server (UPnP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2005-01-15 745472]
S3 VAIOMediaPlatform-Mobile-Gateway;VAIO Media Gateway Server; C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe [2005-01-15 188416]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-19 913408]
-----------------EOF-----------------
yukukuhi
2009-03-26, 12:35
info.txt logfile of random's system information tool 1.05 2009-03-26 12:50:10
======Uninstall list======
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->Dummy
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA9EC1C6-3B51-11D6-B1A9-BCD2747AA951}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D43F13A1-1E39-4BD4-9682-DF889FE75421}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Audition 3.0-->msiexec /I {53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Advanced RealMedia Export Plug-in for Premiere 6.0-->C:\Program Files\Adobe\Premiere 6.5\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
Age of Mythology-->"C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
AMVapp 2.1-->C:\Program Files\AMVapp-uninst.exe
AMVapp Audio Apps 2.0-->C:\Program Files\AMVapp\Audio Apps\uninst.exe
AMVapp Support Tools 2.0-->C:\Program Files\AMVapp\Support Tools\AMVappSupportTools-uninst.exe
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVI Splitter-->"C:\Program Files\avisplit\unins000.exe"
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Avisynth Filters 2.5x-->C:\Program Files\AviSynth 2.5\plugins\uninst.exe
AVS DVD Player version 2.4-->"C:\Program Files\AVSMedia\DVDPlayer\unins000.exe"
Boilsoft Video Joiner 5.01-->"C:\Program Files\Boilsoft Video Joiner\unins000.exe"
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
CheckIt Diagnostics-->C:\PROGRA~1\CheckIt\DIAGNO~1\UNWISE.EXE C:\PROGRA~1\CheckIt\DIAGNO~1\INSTALL.LOG
Click to DVD 2.0.03 Menu Data-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E407618-D9CD-4F39-9490-9ED45294073D}\setup.exe" -l0x9 -removeonly
Click to DVD 2.4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E809063C-51A3-4269-8984-D1EB742F2151}\setup.exe" -l0x9 -removeonly
Colorado Fall Vol 1 Screen Saver-->sstunst2.exe Colorado Fall Vol 1
Creative PC-CAM Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D43F13A1-1E39-4BD4-9682-DF889FE75421}\setup.exe" -l0x9 /remove
Creative WebCam Monitor-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CA9EC1C6-3B51-11D6-B1A9-BCD2747AA951}\setup.exe" -l0x9 /remove
dBpoweramp DSP Effects-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
dBpoweramp Music Converter-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
DGMPEGDec 1.2.1-->C:\Program Files\AMVapp\DGMPEGDec\uninst.exe
Disc2Phone-->MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
Disciples: Sacred Lands Gold Edition-->C:\PROGRA~1\STRATE~1\DISCIP~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\DISCIP~1\INSTALL.LOG
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVgate Plus-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\Setup.exe" -l0x9
F22 Air Dominance Fighter-->C:\WINDOWS\uninst.exe -f"C:\Program Files\DID\F22ADF\DeIsL1.isu"
ffdshow [rev 1846] [2008-02-05]-->"C:\Program Files\ffdshow\unins000.exe"
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
Gordian Knot Rip Pack 0.35.0-->C:\Program Files\GordianKnot\uninst.exe
HDAUDIO SoftV92 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003\HXFSETUP.EXE -U -IHDAUDIO\FUNC_02&VEN_14F1&DEV_2BFA&SUBSYS_20030003
Helix YUV Codecs (remove only)-->"C:\WINDOWS\system32\uninstHelixYUV.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Image Converter 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9155A84B-A94B-496E-9661-9978EB0CBC7C}\Setup.exe" /UNINSTALL
Intel(R) Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Intel(R) PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Lame ACM MP3 Codec-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_LameMP3 132 C:\WINDOWS\INF\LameACM.inf
Lossless Codecs -->C:\Program Files\AMVapp\HuffYUV-uninst.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore-->MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver-->MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
Memory Stick Formatter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Age of Empires Gold-->"C:\Program Files\Microsoft Games\Age of Empires\UNINSTAL.EXE" /runtemp
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
MKVtoolnix 2.4.1-->C:\Program Files\MKVtoolnix\uninst.exe
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (1.0.4)-->C:\WINDOWS\UninstallFirefox.exe /ua "1.0.4 (en-US)"
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
MySQL Connector/ODBC 3.51-->MsiExec.exe /I{0CB3C535-1171-4A20-B549-E2CB5DEB9723}
NavHelper-->"C:\Program Files\NavExcel\NavHelper\v2.0.4\NHUninstaller.exe"
Neat Image v6 Demo (with plug-in)-->"C:\Program Files\Neat Image\unins000.exe"
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Network Smart Capture-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30642CE1-217B-40C0-92E2-6BF849599D9E}\setup.exe" -l0x9
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenMG Limited Patch 4.1-05-13-31-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-13-31-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
Pegasus Imaging PICVideo Motion JPEG 3.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{37FF74E1-843A-4431-AA07-E73E2B847CA4}
PictureGear Studio 2.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88DA0A52-3372-4803-971A-ADFB961707E8}\Setup.exe"
Pocket Tanks 1.00b-->"C:\Program Files\Pocket Tanks\unins000.exe"
PremiereAVSPlugin 1.5-->C:\Program Files\Adobe\Premiere 6.5\Plug-ins\Premiere AVS Plugin uninst.exe
Quicken 2005-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2DBE41DD-2129-4C65-A3D3-5647236A60F3} anything
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Robin Hood: The Legend Of Sherwood-->C:\PROGRA~1\STRATE~1\ROBINH~1\UNWISE.EXE C:\PROGRA~1\STRATE~1\ROBINH~1\INSTALL.LOG
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893066)-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931768)-->"C:\WINDOWS\$NtUninstallKB931768$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933566)-->"C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937143)-->"C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Security Update for Windows XP (KB937894)-->"C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938127)-->"C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB939653)-->"C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941644)-->"C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB942615)-->"C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943485)-->"C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SonicStage 3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
SonicStage Mastering Studio Audio Filter Custom Preset-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}\setup.exe" -l0x9
Sony Certificate PCH-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Ericsson PC Suite-->MsiExec.exe /I{B56B1487-9A26-4AFD-A1FD-949C40F5F2BC}
Sony MP4 Shared Library-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}\setup.exe" -l0x9 -removeonly
Sony USB Mouse-->Pmuninst.exe MouseSuite98
Sony Utilities DLL-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF3D45BB-2260-4008-88EA-492E7744A9DF}\setup.exe" -l0x9
Sony Video Shared Library-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}\setup.exe" -l0x9 -removeonly
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB929338)-->"C:\WINDOWS\$NtUninstallKB929338$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB942840)-->"C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Update for Windows XP (KB946627)-->"C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
VAIO Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E993095-28F2-4060-9101-99C1FD1195C0}\setup.exe" -l0x9
VAIO Entertainment Platform-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}\setup.exe" -l0x9
VAIO Event Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}\setup.exe" -l0x9
VAIO Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A43F939E-A863-433D-AC78-0897E44CFEB2}\setup.exe" -l0x9
VAIO Light Flo Wallpaper-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{639BB4D3-AA30-4A7B-8CB5-6DE681AD6659}\setup.exe" -l0x9
VAIO Media 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\Setup.exe" -l0x9 UNINSTALL
VAIO Media AC3 Decoder 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2063C2E8-3812-4BBD-9998-6610F80C1DD4}\Setup.exe" -l0x9 UNINSTALL
VAIO Media Integrated Server 4.1-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A79D11B-FD82-4A5E-834F-20173515DD14}\setup.exe" -l0x9 UNINSTALL -removeonly
VAIO Media Redistribution 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\Setup.exe" -l0x9 UNINSTALL
VAIO Media Registration Tool 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}\setup.exe" -l0x9 UNINSTALL
VAIO Original Screen Saver VAIO Motion SD Wide Contents-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51735133-A296-4EB0-BF16-AD93B55BD000}\setup.exe" -l0x9
VAIO Original Screen Saver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1BEF9285-5530-426B-A5F1-5836B95C7EB1}\setup.exe" -l0x9
VAIO Power Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E319E96-ED8E-4B01-9775-C521A1869A25}\setup.exe" -l0x9
VAIO Registration-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Survey Standalone-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO Update 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48820099-ED7D-424B-890C-9A82EF00656D}\setup.exe" -l0x9
VAIO Wireless Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DF00135-D5A7-476A-BFB3-EDFF2840076A}\Setup.exe" -l0x9
VAIO Zone-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ED8D39F2-7FFA-45EC-B148-EF2472955BB4}\Setup.exe" -l0x9
VideoReDo TVSuite Version 3.1.4.549-->"C:\Program Files\VideoReDoTVSuite\unins000.exe"
VirtualDubMod 1.5.4.1-->C:\Program Files\AMVapp\VirtualDubMod\uninst.exe
Winamp (remove only)-->"C:\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10 Hotfix [See KB886612 for more information]-->C:\WINDOWS\$NtUninstallKB886612$\spuninst\spuninst.exe
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Hotfix - KB307154-->C:\WINDOWS\$NtUninstallKB307154$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB884575-->C:\WINDOWS\$NtUninstallKB884575$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888239-->C:\WINDOWS\$NtUninstallKB888239$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wireless Switch Setting Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}\setup.exe" -l0x9
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
======Hosts File======
10.0.1.19 ltuxxi #PRE #SAP XI Unix Server
10.0.1.20 lxi #PRE #SAP R3 unix Server
72.245.136.163 lcpa002 lcpa002.leadingc.com
======Security center information======
FW: Norton Internet Worm Protection (disabled)
System event log
Computer Name: SHIVA
Event Code: 7035
Message: The SSDP Discovery Service service was successfully sent a start control.
Record Number: 122729
Source Name: Service Control Manager
Time Written: 20090125214149.000000+330
Event Type: information
User: SHIVA\Shiva
Computer Name: SHIVA
Event Code: 7035
Message: The Remote Access Connection Manager service was successfully sent a start control.
Record Number: 122728
Source Name: Service Control Manager
Time Written: 20090125214149.000000+330
Event Type: information
User: SHIVA\Shiva
Computer Name: SHIVA
Event Code: 7036
Message: The Telephony service entered the running state.
Record Number: 122727
Source Name: Service Control Manager
Time Written: 20090125214147.000000+330
Event Type: information
User:
Computer Name: SHIVA
Event Code: 7036
Message: The Fast User Switching Compatibility service entered the running state.
Record Number: 122726
Source Name: Service Control Manager
Time Written: 20090125214147.000000+330
Event Type: information
User:
Computer Name: SHIVA
Event Code: 7035
Message: The Fast User Switching Compatibility service was successfully sent a start control.
Record Number: 122725
Source Name: Service Control Manager
Time Written: 20090125214147.000000+330
Event Type: information
User: NT AUTHORITY\SYSTEM
Application event log
Computer Name: SHIVA
Event Code: 1
Message: Service started.
Record Number: 30383
Source Name: VzFw
Time Written: 20090311193603.000000+330
Event Type: information
User:
Computer Name: SHIVA
Event Code: 0
Message:
Record Number: 30382
Source Name: VAIO Event Service
Time Written: 20090311193602.000000+330
Event Type: information
User:
Computer Name: SHIVA
Event Code: 0
Message:
Record Number: 30381
Source Name: RegSrvc
Time Written: 20090311193544.000000+330
Event Type: information
User:
Computer Name: SHIVA
Event Code: 1
Message:
Record Number: 30380
Source Name: Bonjour Service
Time Written: 20090311193542.000000+330
Event Type: information
User:
Computer Name: SHIVA
Event Code: 1
Message:
Record Number: 30379
Source Name: Avg7UpdSvc
Time Written: 20090311193541.000000+330
Event Type: information
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\Wireless\Bin\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\F-Secure\SSHTRI~1;;C:\PROGRA~1\F-Secure\SSHTRI~1;C:\Program Files\Microsoft USB Flash Drive Manager\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\Smart Projects\IsoBuster;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Teleca Shared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"DEFAULT_CA_NR"=CA6
-----------------EOF-----------------
Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.
Flash Disinfector by sUBs
Please download Flash_Disinfector.exe (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) by sUBs and save it to your desktop:
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.
Please restart your computer.
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
yukukuhi
2009-03-27, 08:14
Hi katana,
When i runned combofix it said Error - Win32 Only incompatible os, but it continued scanning even after that.
ComboFix 09-03-26.02 - Shiva 2009-03-27 12:03:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.228 [GMT 5.5:30]
Running from: c:\documents and settings\Shiva\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
c:\windows\IE4 Error Log.txt
c:\windows\setup.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.
2009-03-15 16:11 . 2009-03-15 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-03-12 20:32 . 2009-03-13 09:54 <DIR> d-------- c:\program files\VirtualDub-1.8.8
2009-03-12 20:25 . 2009-03-18 09:41 <DIR> d-------- c:\program files\ffdshow
2009-03-04 20:25 . 2009-03-04 20:25 <DIR> d-------- c:\program files\GordianKnot
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 06:05 --------- d-----w c:\documents and settings\Shiva\Application Data\U3
2009-03-24 04:00 98,304 ----a-w c:\windows\DUMP7213.tmp
2009-03-21 10:57 --------- d-----w c:\documents and settings\Shiva\Application Data\VideoReDo-TVSuite
2009-03-21 10:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-17 13:22 --------- d-----w c:\program files\MKVtoolnix
2009-03-16 16:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-03-15 11:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-15 10:39 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-03-12 14:48 132,380 ----a-w c:\program files\AMVapp-uninst.exe
2009-03-12 14:48 --------- d-----w c:\program files\AMVapp
2009-03-12 14:47 --------- d-----w c:\program files\AviSynth 2.5
2007-07-20 03:42 356,352 -c--a-w c:\documents and settings\Shiva\cwshredder.dll
2006-04-08 16:05 111,232 -c--a-w c:\documents and settings\Shiva\g2mdlhlpx.exe
2005-05-11 17:28 94,208 -c--a-w c:\program files\mozilla firefox\components\BrandRes.dll
2005-05-11 17:28 150,912 -c--a-w c:\program files\mozilla firefox\components\fullsoft.dll
2005-05-11 17:28 41,573 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2005-05-11 17:28 48,223 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-11 17:28 8,813 -c--a-w c:\program files\mozilla firefox\components\qfaservices.dll
2005-05-11 17:28 159,335 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-26 4608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-18 5406720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-29 180269]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 225280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 237568]
c:\documents and settings\Shiva\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\FSScrCtl.exe [2008-08-15 249344]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-19 02:18 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg30.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.LAGS"= lagarith.dll
"vidc.i420"= i420vfw.dll
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2003-11-08 05:51 184320 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
--a--c--- 2004-07-16 23:47 53248 c:\windows\SONYSYS\VAIO Recovery\Reminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 17:30 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a--c--- 1998-12-01 04:34 497376 c:\windows\p_981116.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-02-23 06:04 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2005-07-23 08:10 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-02-23 06:07 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a--c--- 2004-02-21 03:42 32768 c:\program files\Sony\ISB Utility\ISBMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1763840 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-02-18 04:01 5406720 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 483328 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
--a--c--- 2005-01-15 05:48 184320 c:\program files\Sony\VAIO Power Management\SPMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a--c--- 2005-01-25 08:28 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-13 01:03 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
--a--c--- 2005-01-21 09:54 167936 c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-06-29 07:00 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 09:38 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
--a------ 2005-01-15 03:13 151552 c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2006-06-21 22:44 35328 c:\winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 17:30 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\AxCmd.bin"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Adobe\\Adobe Audition 3.0\\Audition.exe"=
"c:\\WINDOWS\\system32\\CF18933.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2006-09-13 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2006-09-13 3904]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-03-18 71961]
S3 DCamUSBSony4;Sony Visual Communication Camera;c:\windows\system32\drivers\snyucam4.sys [2005-07-01 424127]
S3 DCamUSBSonyA4;Sony USB Microphone;c:\windows\system32\drivers\snyuflt4.sys [2005-07-01 6019]
S3 mlnxfltr;mlnxfltr;c:\windows\system32\drivers\mlnxfltr.sys [2005-07-04 9984]
S3 MultiLINX;MultiLINX;c:\windows\system32\drivers\mltlnx.sys [2005-07-04 11811]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-12-21 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-12-21 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-12-21 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-12-21 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-12-21 86368]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1356a7d6-17b7-11de-8bec-0013ce0543f8}]
\Shell\AUtOpLAY\cOMMand - G:\yqylvn.exe
\Shell\AutoRun\command - G:\yqylvn.exe
\Shell\ExpLorE\ComMand - G:\yqylvn.exe
\Shell\opEn\commaNd - G:\yqylvn.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-AlcFDMonitor - c:\windows\ALCFDRTM.EXE
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0\bin\jusched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Mouse Suite 98 Daemon - ICO.EXE
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: aol.com\free
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 12:20:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1482251334-1830561315-212462575-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,6a,23,32,f6,90,d5,4b,23,be,b6,60,9a,05,ec,4d,e6,39,cf,71,06,97,67,
23,fc,7f,e4,9b,63,96,18,d9,71,08,da,36,0b,68,a2,17,48,87,96,27,19,25,17,68,\
"??"=hex:cc,f4,94,dc,38,7e,ce,e1,4d,0b,ff,0c,d9,86,71,4c
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2009-03-27 12:27:58 - machine was rebooted [Shiva]
ComboFix-quarantined-files.txt 2009-03-27 06:57:55
Pre-Run: 2,097,201,152 bytes free
Post-Run: 2,884,734,976 bytes free
308 --- E O F --- 2008-01-09 06:04:53
Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1356a7d6-17b7-11de-8bec-0013ce0543f8}]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Combofix Log
Kaspersky Log
How are things running now ?
yukukuhi
2009-03-31, 09:26
ComboFix 09-03-30.02 - Shiva 2009-03-31 10:03:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.212 [GMT 5.5:30]
Running from: c:\documents and settings\Shiva\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shiva\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.
2009-03-31 09:42 . 2009-03-31 09:31 63,049,904 --a------ C:\avgfree.exe
2009-03-31 08:54 . 2009-03-31 08:54 <DIR> d--hs---- c:\documents and settings\Shiva\UserData
2009-03-30 12:23 . 2009-03-30 20:21 <DIR> d-------- C:\Adobe Audition Temp
2009-03-15 16:11 . 2009-03-31 09:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-03-13 09:46 . 2008-09-24 20:41 839,680 --a------ c:\windows\system32\LameACM.acm
2009-03-13 09:46 . 2002-04-07 11:17 414 -ra------ c:\windows\system32\lame_acm.xml
2009-03-12 20:32 . 2009-03-13 09:54 <DIR> d-------- c:\program files\VirtualDub-1.8.8
2009-03-12 20:25 . 2009-03-18 09:41 <DIR> d-------- c:\program files\ffdshow
2009-03-12 20:25 . 2007-12-24 13:49 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-12 20:25 . 2007-12-07 18:28 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-03-12 20:25 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-03-12 20:18 . 2009-03-12 20:18 132,380 --a------ c:\program files\AMVapp-uninst.exe
2009-03-04 20:25 . 2009-03-04 20:25 <DIR> d-------- c:\program files\GordianKnot
2009-02-13 17:15 . 2009-02-13 17:27 <DIR> d-------- C:\New Folder (2)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 03:22 --------- d-----w c:\program files\Google
2009-03-30 08:56 --------- d-----w c:\documents and settings\Shiva\Application Data\U3
2009-03-29 14:15 --------- d-----w c:\program files\Xvid
2009-03-24 04:00 98,304 ----a-w c:\windows\DUMP7213.tmp
2009-03-21 10:57 --------- d-----w c:\documents and settings\Shiva\Application Data\VideoReDo-TVSuite
2009-03-21 10:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-16 16:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-03-15 11:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-15 10:39 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-03-12 14:48 --------- d-----w c:\program files\AMVapp
2009-03-12 14:47 --------- d-----w c:\program files\AviSynth 2.5
2007-07-20 03:42 356,352 -c--a-w c:\documents and settings\Shiva\cwshredder.dll
2006-04-08 16:05 111,232 -c--a-w c:\documents and settings\Shiva\g2mdlhlpx.exe
2005-05-11 17:28 94,208 -c--a-w c:\program files\mozilla firefox\components\BrandRes.dll
2005-05-11 17:28 150,912 -c--a-w c:\program files\mozilla firefox\components\fullsoft.dll
2005-05-11 17:28 41,573 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2005-05-11 17:28 48,223 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-11 17:28 8,813 -c--a-w c:\program files\mozilla firefox\components\qfaservices.dll
2005-05-11 17:28 159,335 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-27_12.26.11.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 10:58:22 249,344 ----a-w c:\windows\FSScrCtl.exe
+ 2008-08-15 10:58:22 327,168 ----a-w c:\windows\FSScrCtl.exe
+ 2009-03-31 04:40:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f2c.dat
+ 2006-12-01 17:26:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 18:55:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 18:55:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 18:55:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 18:56:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 18:38:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 18:38:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 18:38:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 18:38:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 18:38:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 18:38:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 18:38:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 18:38:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 18:38:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 19:16:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 146680]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-26 4608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-18 5406720]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-06-29 253997]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 225280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 367912]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 237568]
c:\documents and settings\Shiva\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\FSScrCtl.exe [2008-08-15 327168]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-19 02:18 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg30.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.LAGS"= lagarith.dll
"vidc.i420"= i420vfw.dll
"msacm.avis"= ff_acm.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2003-11-08 05:51 184320 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
--a--c--- 2004-07-16 23:47 53248 c:\windows\SONYSYS\VAIO Recovery\Reminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 17:30 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a--c--- 1998-12-01 04:34 497376 c:\windows\p_981116.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-02-23 06:04 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2005-07-23 08:10 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-02-23 06:07 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a--c--- 2004-02-21 03:42 102400 c:\program files\Sony\ISB Utility\ISBMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 367912 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1763840 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-02-18 04:01 5406720 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 483328 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
--a--c--- 2005-01-15 05:48 266240 c:\program files\Sony\VAIO Power Management\SPMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a--c--- 2005-01-25 08:28 159744 c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-13 01:03 146680 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
--a--c--- 2005-01-21 09:54 245760 c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-06-29 07:00 253997 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 09:38 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
--a------ 2005-01-15 03:13 229376 c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2006-06-21 22:44 109056 c:\winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 17:30 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\AxCmd.bin"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Adobe\\Adobe Audition 3.0\\Audition.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\WINDOWS\\FSScrCtl.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\windbuyd.exe"=
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\mvtaqb.exe"=
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\roxpk.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2006-09-13 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2006-09-13 3904]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-03-18 71961]
S3 DCamUSBSony4;Sony Visual Communication Camera;c:\windows\system32\drivers\snyucam4.sys [2005-07-01 424127]
S3 DCamUSBSonyA4;Sony USB Microphone;c:\windows\system32\drivers\snyuflt4.sys [2005-07-01 6019]
S3 mlnxfltr;mlnxfltr;c:\windows\system32\drivers\mlnxfltr.sys [2005-07-04 9984]
S3 MultiLINX;MultiLINX;c:\windows\system32\drivers\mltlnx.sys [2005-07-04 11811]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-12-21 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-12-21 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-12-21 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-12-21 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-12-21 86368]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea9c8f28-e84a-11dc-898e-00014a829daa}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-AlcFDMonitor - c:\windows\ALCFDRTM.EXE
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: aol.com\free
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 10:10:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1482251334-1830561315-212462575-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,6a,23,32,f6,90,d5,4b,23,be,b6,60,9a,05,ec,4d,e6,39,cf,71,06,97,67,
23,fc,7f,e4,9b,63,96,18,d9,71,08,da,36,0b,68,a2,17,48,87,96,27,19,25,17,68,\
"??"=hex:cc,f4,94,dc,38,7e,ce,e1,4d,0b,ff,0c,d9,86,71,4c
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\docume~1\Shiva\LOCALS~1\temp\windbuyd.exe
c:\docume~1\Shiva\LOCALS~1\temp\mvtaqb.exe
c:\docume~1\Shiva\LOCALS~1\temp\roxpk.exe
.
**************************************************************************
.
Completion time: 2009-03-31 10:15:57 - machine was rebooted [Shiva]
ComboFix-quarantined-files.txt 2009-03-31 04:45:54
ComboFix2.txt 2009-03-27 06:58:00
Pre-Run: 6,019,616,768 bytes free
Post-Run: 5,814,976,512 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /PAE
341 --- E O F --- 2008-01-09 06:04:53
Hi katana,
I am not able to open kaspersky, the page is not loading.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\docume~1\Shiva\LOCALS~1\temp\windbuyd.exe
c:\docume~1\Shiva\LOCALS~1\temp\mvtaqb.exe
c:\docume~1\Shiva\LOCALS~1\temp\roxpk.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\ALCMTR.EXE"=-
"c:\\WINDOWS\\system32\\userinit.exe"=-
"c:\\WINDOWS\\FSScrCtl.exe"=-
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\windbuyd.exe"=-
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\mvtaqb.exe"=-
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\roxpk.exe"=-
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.
yukukuhi
2009-04-04, 17:12
ComboFix 09-04-03.01 - Shiva 2009-04-07 12:35:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.216 [GMT 5.5:30]
Running from: c:\documents and settings\Shiva\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shiva\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
FILE ::
c:\docume~1\Shiva\LOCALS~1\temp\mvtaqb.exe
c:\docume~1\Shiva\LOCALS~1\temp\roxpk.exe
c:\docume~1\Shiva\LOCALS~1\temp\windbuyd.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.
2009-04-05 14:38 . 2009-04-05 14:38 136,476 --a------ c:\program files\AMVapp-uninst.exe
2009-04-05 14:37 . 2009-04-05 14:37 149,815 --a------ c:\program files\Premiere AVS Plugin uninst.exe
2009-03-31 09:42 . 2009-03-31 09:31 63,049,904 --a------ C:\avgfree.exe
2009-03-31 08:54 . 2009-03-31 08:54 <DIR> d--hs---- c:\documents and settings\Shiva\UserData
2009-03-30 12:23 . 2009-04-06 19:51 <DIR> d-------- C:\Adobe Audition Temp
2009-03-15 16:11 . 2009-03-31 09:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-03-12 20:25 . 2009-03-18 09:41 <DIR> d-------- c:\program files\ffdshow
2009-03-12 20:25 . 2007-12-24 13:49 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-12 20:25 . 2007-12-07 18:28 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-03-12 20:25 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 09:08 --------- d-----w c:\program files\AMVapp
2009-04-05 09:06 --------- d-----w c:\program files\AviSynth 2.5
2009-04-04 15:20 --------- d-----w c:\documents and settings\Shiva\Application Data\U3
2009-03-31 03:22 --------- d-----w c:\program files\Google
2009-03-29 14:15 --------- d-----w c:\program files\Xvid
2009-03-24 04:00 98,304 ----a-w c:\windows\DUMP7213.tmp
2009-03-21 10:57 --------- d-----w c:\documents and settings\Shiva\Application Data\VideoReDo-TVSuite
2009-03-21 10:52 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-16 16:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-03-15 11:19 --------- d-----w c:\program files\Common Files\Adobe
2009-03-15 10:39 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-03-04 14:55 --------- d-----w c:\program files\GordianKnot
2007-07-20 03:42 356,352 -c--a-w c:\documents and settings\Shiva\cwshredder.dll
2006-04-08 16:05 111,232 -c--a-w c:\documents and settings\Shiva\g2mdlhlpx.exe
2004-05-08 06:41 122,993 ----a-w c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 57,344 ----a-w c:\program files\IM-Avisynth.prm
2005-05-11 17:28 94,208 -c--a-w c:\program files\mozilla firefox\components\BrandRes.dll
2005-05-11 17:28 150,912 -c--a-w c:\program files\mozilla firefox\components\fullsoft.dll
2005-05-11 17:28 41,573 -c--a-w c:\program files\mozilla firefox\components\jar50.dll
2005-05-11 17:28 48,223 -c--a-w c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-11 17:28 8,813 -c--a-w c:\program files\mozilla firefox\components\qfaservices.dll
2005-05-11 17:28 159,335 -c--a-w c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-03-27_12.26.11.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-15 10:58:22 249,344 ----a-w c:\windows\FSScrCtl.exe
+ 2008-08-15 10:58:22 327,168 ----a-w c:\windows\FSScrCtl.exe
- 2006-10-10 12:44:50 557,568 -c----w c:\windows\network diagnostic\xpnetdiag.exe
+ 2006-10-10 12:44:50 631,296 -c----w c:\windows\network diagnostic\xpnetdiag.exe
- 2009-03-12 14:48:33 35,365 ----a-w c:\windows\system32\uninstHelixYUV.exe
+ 2009-04-05 09:08:27 35,365 ----a-w c:\windows\system32\uninstHelixYUV.exe
+ 2006-12-01 17:26:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-01 18:55:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-01 18:55:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-01 18:55:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-01 18:56:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-01 18:38:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-01 18:38:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-01 18:38:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-01 18:38:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-01 18:38:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-01 18:38:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-01 18:38:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-01 18:38:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-01 18:38:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-01 19:16:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 146680]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-26 4608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-18 5406720]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 225280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 367912]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 237568]
c:\documents and settings\Shiva\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\FSScrCtl.exe [2008-08-15 327168]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-19 02:18 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg30.dll
"msacm.avis"= ff_acm.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.LAGS"= lagarith.dll
"vidc.i420"= i420vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2003-11-08 05:51 184320 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
--a--c--- 2004-07-16 23:47 53248 c:\windows\SONYSYS\VAIO Recovery\Reminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 17:30 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a--c--- 1998-12-01 04:34 497376 c:\windows\p_981116.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-02-23 06:04 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2005-07-23 08:10 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-02-23 06:07 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISBMgr.exe]
--a--c--- 2004-02-21 03:42 102400 c:\program files\Sony\ISB Utility\ISBMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 367912 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1763840 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-02-18 04:01 5406720 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 483328 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SonyPowerCfg]
--a--c--- 2005-01-15 05:48 266240 c:\program files\Sony\VAIO Power Management\SPMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a--c--- 2005-01-25 08:28 159744 c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-13 01:03 146680 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
--a--c--- 2005-01-21 09:54 245760 c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-06-29 07:00 253997 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 09:38 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
--a------ 2005-01-15 03:13 229376 c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a--c--- 2006-06-21 22:44 109056 c:\winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 17:30 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe"=
"c:\\WINDOWS\\system32\\NeroCheck.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\AxCmd.bin"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Adobe\\Adobe Audition 3.0\\Audition.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\trvqas.exe"=
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\bnwu.exe"=
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\winveap.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2006-09-13 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2006-09-13 3904]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-03-18 71961]
S3 DCamUSBSony4;Sony Visual Communication Camera;c:\windows\system32\drivers\snyucam4.sys [2005-07-01 424127]
S3 DCamUSBSonyA4;Sony USB Microphone;c:\windows\system32\drivers\snyuflt4.sys [2005-07-01 6019]
S3 mlnxfltr;mlnxfltr;c:\windows\system32\drivers\mlnxfltr.sys [2005-07-04 9984]
S3 MultiLINX;MultiLINX;c:\windows\system32\drivers\mltlnx.sys [2005-07-04 11811]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-12-21 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-12-21 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-12-21 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-12-21 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-12-21 86368]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ASC3360PR
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea9c8f28-e84a-11dc-898e-00014a829daa}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: aol.com\free
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 12:44:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1482251334-1830561315-212462575-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,6a,23,32,f6,90,d5,4b,23,be,b6,60,9a,05,ec,4d,e6,39,cf,71,06,97,67,
23,fc,7f,e4,9b,63,96,18,d9,71,08,da,36,0b,68,a2,17,48,87,96,27,19,25,17,68,\
"??"=hex:cc,f4,94,dc,38,7e,ce,e1,4d,0b,ff,0c,d9,86,71,4c
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\docume~1\Shiva\LOCALS~1\temp\trvqas.exe
c:\docume~1\Shiva\LOCALS~1\temp\bnwu.exe
c:\docume~1\Shiva\LOCALS~1\temp\winveap.exe
.
**************************************************************************
.
Completion time: 2009-04-07 12:51:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 07:21:10
ComboFix2.txt 2009-03-27 06:58:00
Pre-Run: 5,623,574,528 bytes free
Post-Run: 5,413,687,296 bytes free
335 --- E O F --- 2008-01-09 06:04:53
Sorry katana, but i am not able to run Active scan it's keep getting stuck.
OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
explorer.exe
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"=-
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\trvqas.exe"=-
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\bnwu.exe"=-
"c:\\DOCUME~1\\Shiva\\LOCALS~1\\Temp\\winveap.exe"=-
:Files
c:\docume~1\Shiva\LOCALS~1\temp\mvtaqb.exe
c:\docume~1\Shiva\LOCALS~1\temp\roxpk.exe
c:\docume~1\Shiva\LOCALS~1\temp\windbuyd.exe
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Please Download GMER to your desktop
Download GMER (http://www.gmer.net/gmer.zip) and extract it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
yukukuhi
2009-04-07, 09:52
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\DOCUME~1\Shiva\LOCALS~1\Temp\trvqas.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\DOCUME~1\Shiva\LOCALS~1\Temp\bnwu.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List\\c:\DOCUME~1\Shiva\LOCALS~1\Temp\winveap.exe deleted successfully.
========== FILES ==========
File/Folder c:\docume~1\Shiva\LOCALS~1\temp\mvtaqb.exe not found.
File/Folder c:\docume~1\Shiva\LOCALS~1\temp\roxpk.exe not found.
File/Folder c:\docume~1\Shiva\LOCALS~1\temp\windbuyd.exe not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Shiva\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET2FEB.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JET2FFA.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04062009_195014
Files moved on Reboot...
File C:\WINDOWS\temp\JET2FEB.tmp not found!
File C:\WINDOWS\temp\JET2FFA.tmp not found!
GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-06 22:09:58
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT spjw.sys ZwCreateKey [0xF84670E0]
SSDT spjw.sys ZwEnumerateKey [0xF8485CA2]
SSDT spjw.sys ZwEnumerateValueKey [0xF8486030]
SSDT spjw.sys ZwOpenKey [0xF84670C0]
SSDT spjw.sys ZwQueryKey [0xF8486108]
SSDT spjw.sys ZwQueryValueKey [0xF8485F88]
SSDT spjw.sys ZwSetValueKey [0xF848619A]
INT 0x62 ? 82DDCBF8
INT 0x63 ? 82DDCBF8
INT 0x84 ? 82B80BF8
INT 0x94 ? 82B80BF8
INT 0xB1 ? 82DDFBF8
INT 0xB1 ? 82DDFBF8
---- Kernel code sections - GMER 1.0.15 ----
? spjw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F750A62C 5 Bytes JMP 82B801D8
.text aehuoxfi.SYS F7103384 1 Byte [20]
.text aehuoxfi.SYS F7103384 37 Bytes [20, 00, 00, 68, 00, 00, 00, ...]
.text aehuoxfi.SYS F71033AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, ...]
.text aehuoxfi.SYS F71033C4 3 Bytes [00, 00, 00]
.text aehuoxfi.SYS F71033C9 1 Byte [00]
.text ...
.text asuxia94.SYS F7087386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text asuxia94.SYS F70873AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text asuxia94.SYS F70873C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text asuxia94.SYS F70873C9 1 Byte [2E]
.text asuxia94.SYS F70873C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...]
.text ...
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8468040] spjw.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F846813C] spjw.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84680BE] spjw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84687FC] spjw.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84686D2] spjw.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8478048] spjw.sys
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\aehuoxfi.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\asuxia94.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 82DDB1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D5E7C05A-A09E-4532-B7BE-422DBD665EEA} 820011F8
Device \Driver\usbuhci \Device\USBPDO-0 82B7F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82D701F8
Device \Driver\dmio \Device\DmControl\DmConfig 82D701F8
Device \Driver\dmio \Device\DmControl\DmPnP 82D701F8
Device \Driver\dmio \Device\DmControl\DmInfo 82D701F8
Device \Driver\usbuhci \Device\USBPDO-1 82B7F1F8
Device \Driver\usbuhci \Device\USBPDO-2 82B7F1F8
Device \Driver\usbuhci \Device\USBPDO-3 82B7F1F8
Device \Driver\usbehci \Device\USBPDO-4 82B7E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82DDD1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82DDD1F8
Device \Driver\Cdrom \Device\CdRom0 82AC01F8
Device \Driver\Cdrom \Device\CdRom1 82AC01F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82DDC1F8
Device \Driver\atapi \Device\Ide\IdePort0 82DDC1F8
Device \Driver\atapi \Device\Ide\IdePort1 82DDC1F8
Device \Driver\atapi \Device\Ide\IdePort2 82DDC1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 82DDC1F8
Device \Driver\sptd \Device\4175038302 spjw.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 820011F8
Device \Driver\NetBT \Device\NetbiosSmb 820011F8
Device \Driver\PCI_PNP9552 \Device\0000004d spjw.sys
Device \Driver\PCI_PNP9552 \Device\0000004e spjw.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{6A4E9049-8141-48FF-99B9-668E853F0A44} 820011F8
Device \Driver\usbuhci \Device\USBFDO-0 82B7F1F8
Device \Driver\usbuhci \Device\USBFDO-1 82B7F1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81F5A1F8
Device \Driver\usbuhci \Device\USBFDO-2 82B7F1F8
Device 81F5A1F8
Device \Driver\usbuhci \Device\USBFDO-3 82B7F1F8
Device \Driver\usbehci \Device\USBFDO-4 82B7E1F8
Device \Driver\Ftdisk \Device\FtControl 82DDD1F8
Device \Driver\aehuoxfi \Device\Scsi\aehuoxfi1 82AB51F8
Device \Driver\asuxia94 \Device\Scsi\asuxia941Port3Path0Target0Lun0 82A3E1F8
Device \Driver\asuxia94 \Device\Scsi\asuxia941 82A3E1F8
Device \Driver\sptd \Device\4174882052 spjw.sys
Device \FileSystem\Cdfs \Cdfs 82A7E308
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00014a153d44
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7F 0x2C 0x3D 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0xA5 0xCD 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDE 0x7E 0xCF 0x4D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x44 0x4D 0xFD ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00014a153d44
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7F 0x2C 0x3D 0x57 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x71 0xA5 0xCD 0xB5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDE 0x7E 0xCF 0x4D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x44 0x4D 0xFD ...
---- EOF - GMER 1.0.15 ----
How are things running ?
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
Please visit this webpage for instructions on using ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
ComboFix.exe 1 (http://subs.geekstogo.com/ComboFix.exe)
ComboFix.exe 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
ComboFix.exe 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
yukukuhi
2009-04-11, 16:30
ComboFix 09-04-04.01 - Shiva 2009-04-09 15:51:29.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.181 [GMT 5.5:30]
Running from: c:\documents and settings\Shiva\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASC3360PR
-------\Service_asc3360pr
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.
2009-04-08 09:36 . 2009-04-06 11:23 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-04-08 09:36 . 2009-04-08 09:36 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-08 09:36 . 2009-04-08 09:36 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-08 09:35 . 2009-04-08 09:35 <DIR> d-------- c:\program files\AVG
2009-04-08 09:35 . 2009-04-08 09:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-07 20:37 . 2009-04-07 20:39 <DIR> d-------- c:\program files\VirtualDub-1.8.8
2009-04-07 20:25 . 2009-04-07 20:25 58,652 --a------ c:\program files\AMVapp-uninst.exe
2009-04-07 20:24 . 2009-04-07 20:24 67,895 --a------ c:\program files\Premiere AVS Plugin uninst.exe
2009-04-07 20:12 . 2009-04-07 20:12 <DIR> d-------- c:\documents and settings\Shiva\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-07 20:10 . 2009-04-07 20:10 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-04-07 19:45 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-04-07 13:19 . 2009-04-07 19:45 <DIR> d-------- c:\program files\Panda Security
2009-04-06 13:07 . 2008-09-24 20:41 839,680 --a------ c:\windows\system32\LameACM.acm
2009-04-06 13:07 . 2002-04-07 11:17 414 -ra------ c:\windows\system32\lame_acm.xml
2009-04-05 09:41 . 2009-04-07 00:20 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-31 08:54 . 2009-03-31 08:54 <DIR> d--hs---- c:\documents and settings\Shiva\UserData
2009-03-30 12:23 . 2009-04-08 19:24 <DIR> d-------- C:\Adobe Audition Temp
2009-03-12 20:25 . 2009-03-18 09:41 <DIR> d-------- c:\program files\ffdshow
2009-03-12 20:25 . 2007-12-24 13:49 7,680 --a------ c:\windows\system32\ff_vfw.dll
2009-03-12 20:25 . 2007-12-07 18:28 6,144 --a------ c:\windows\system32\ff_acm.acm
2009-03-12 20:25 . 2007-07-10 17:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 10:01 --------- d-----w c:\documents and settings\Shiva\Application Data\U3
2009-04-09 09:57 --------- d-----w c:\program files\Common Files\Adobe
2009-04-09 08:34 --------- d-----w c:\documents and settings\Shiva\Application Data\VideoReDo-TVSuite
2009-04-09 08:33 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-07 14:59 --------- d-----w c:\program files\AviSynth 2.5
2009-04-07 14:54 --------- d-----w c:\program files\AMVapp
2009-04-05 05:55 --------- d-----w c:\program files\VideoReDoTVSuite
2009-04-05 05:44 --------- d-----w c:\program files\QuickTime
2009-04-05 05:44 --------- d-----w c:\program files\Quicken
2009-04-05 05:37 --------- d-----w c:\program files\Microsoft Works
2009-04-05 05:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 05:25 --------- d-----w c:\program files\Google
2009-04-05 05:25 --------- d-----w c:\program files\DVD Decrypter
2009-04-05 05:12 --------- d-----w c:\program files\Apple Software Update
2009-04-05 05:12 --------- d-----w c:\program files\Apoint
2009-04-05 04:52 27,648 -c--a-w c:\documents and settings\Shiva\g2mdlhlpx.exe
2009-04-05 04:26 --------- d-----w c:\program files\iTunes
2009-04-05 04:24 --------- d-----w c:\program files\GordianKnot
2009-03-29 14:15 --------- d-----w c:\program files\Xvid
2009-03-24 04:00 98,304 ----a-w c:\windows\DUMP7213.tmp
2009-03-16 16:54 --------- d-----w c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-03-15 10:39 --------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2007-07-20 03:42 356,352 -c--a-w c:\documents and settings\Shiva\cwshredder.dll
2004-05-08 06:41 53,361 ----a-w c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 57,344 ----a-w c:\program files\IM-Avisynth.prm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-26 4608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-18 5406720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-04-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
c:\documents and settings\Shiva\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\QStart.exe [2008-08-15 25600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 09:36 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-19 02:18 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg30.dll
"msacm.avis"= ff_acm.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.LAGS"= lagarith.dll
"vidc.i420"= i420vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a--c--- 2009-04-05 10:42 114688 c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
--a--c--- 2004-07-16 23:47 53248 c:\windows\SONYSYS\VAIO Recovery\Reminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 17:30 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
--a--c--- 1998-12-01 04:34 497376 c:\windows\p_981116.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-02-23 06:04 126976 c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2005-07-23 08:10 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-02-23 06:07 155648 c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2009-04-05 10:59 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-02-18 04:01 5406720 c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-04-05 09:43 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a--c--- 2009-04-05 11:22 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
--a--c--- 2009-04-05 11:24 167936 c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
--a--c--- 2003-04-20 09:38 28672 c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
--a------ 2009-04-05 09:53 151552 c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 17:30 110592 c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\AxCmd.bin"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Adobe\\Adobe Audition 3.0\\Audition.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-04-07 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-08 325640]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2006-09-13 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2006-09-13 3904]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-03-18 71961]
S3 DCamUSBSony4;Sony Visual Communication Camera;c:\windows\system32\drivers\snyucam4.sys [2005-07-01 424127]
S3 DCamUSBSonyA4;Sony USB Microphone;c:\windows\system32\drivers\snyuflt4.sys [2005-07-01 6019]
S3 mlnxfltr;mlnxfltr;c:\windows\system32\drivers\mlnxfltr.sys [2005-07-04 9984]
S3 MultiLINX;MultiLINX;c:\windows\system32\drivers\mltlnx.sys [2005-07-04 11811]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-12-21 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-12-21 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-12-21 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-12-21 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-12-21 86368]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57b64336-239d-11de-8c38-00014a829daa}]
\shEll\AUtOpLAy\command - tgyvs.cmd
\shEll\AutoRun\command - tgyvs.cmd
\shEll\ExPLOre\COmmand - tgyvs.cmd
\shEll\opEn\COMmAnD - tgyvs.cmd
.
Contents of the 'Scheduled Tasks' folder
2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-ISBMgr - c:\program files\Sony\ISB Utility\ISBMgr.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SonyPowerCfg - c:\program files\Sony\VAIO Power Management\SPMgr.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WinampAgent - c:\winamp\winampa.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Shiva\Application Data\Mozilla\Firefox\Profiles\g2mddhrr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 16:00:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
c:\windows\explorer.exe [2492] 0x81C73B98
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1482251334-1830561315-212462575-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,6a,23,32,f6,90,d5,4b,23,be,b6,60,9a,05,ec,4d,e6,39,cf,71,06,97,67,
23,fc,7f,e4,9b,63,96,18,d9,71,08,da,36,0b,68,a2,17,48,87,96,27,19,25,17,68,\
"??"=hex:cc,f4,94,dc,38,7e,ce,e1,4d,0b,ff,0c,d9,86,71,4c
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(776)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-09 16:05:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 10:35:37
Pre-Run: 5,824,225,280 bytes free
Post-Run: 5,912,584,192 bytes free
251 --- E O F --- 2008-01-09 06:04:53
The explorer.exe processes has come back again and i want to clarify with you of the window's task manager's process System. Before the malwares infected the laptop it was only using about 284k of memory usaage but now it's using about 64,116k. Is it because of the malwares or is it something else. Please Help.
You didn't disinfect all your USB drives
Panda USB and AutoRun Vaccine
Please visit Panda USB and AutoRun Vaccine (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx)
Download and use the tool to vacinate your computer and also any USB drives you have.
This will help prevent infection in the future.
----------------------------------------------------------- -----------------------------------------------------------
Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57b64336-239d-11de-8c38-00014a829daa}]
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
yukukuhi
2009-04-19, 15:02
It didnt vaccinate the usb drive
ComboFix 09-04-14.08 - Shiva 04/14/2009 15:53.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.272 [GMT 5.5:30]
Running from: c:\documents and settings\Shiva\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shiva\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-03-14 to 2009-04-14 )))))))))))))))))))))))))))))))
.
2009-04-08 04:06 . 2009-04-08 04:06 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-08 04:06 . 2009-04-08 04:06 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 04:06 . 2009-04-14 08:14 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 04:05 . 2009-04-08 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-07 14:42 . 2009-04-07 14:42 -------- d-----w c:\documents and settings\Shiva\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-07 14:15 . 2008-06-19 10:54 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-06 07:37 . 2002-04-07 05:47 414 ----a-r c:\windows\system32\lame_acm.xml
2009-04-06 07:37 . 2008-09-24 15:11 839680 ----a-w c:\windows\system32\LameACM.acm
2009-04-06 06:42 . 2009-04-06 06:42 -------- d-----w c:\documents and settings\Shiva\Local Settings\Application Data\Mozilla
2009-04-05 04:11 . 2009-04-06 18:50 -------- d--h--w C:\$AVG8.VAULT$
2009-03-31 03:24 . 2009-03-31 03:24 -------- d-sh--w c:\documents and settings\Shiva\UserData
2009-03-30 06:53 . 2009-04-14 07:55 -------- d-----w C:\Adobe Audition Temp
2009-03-19 14:51 . 2009-03-19 14:51 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 10:21 . 2008-03-02 11:22 -------- d-----w c:\documents and settings\Shiva\Application Data\U3
2009-04-09 09:57 . 2005-03-17 21:38 -------- d-----w c:\program files\Common Files\Adobe
2009-04-09 08:34 . 2008-10-12 13:41 -------- d-----w c:\documents and settings\Shiva\Application Data\VideoReDo-TVSuite
2009-04-09 08:33 . 2008-10-12 13:41 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-08 04:05 . 2009-04-08 04:05 -------- d-----w c:\program files\AVG
2009-04-07 15:09 . 2009-04-07 15:07 -------- d-----w c:\program files\VirtualDub-1.8.8
2009-04-07 14:59 . 2008-04-22 08:49 -------- d-----w c:\program files\AviSynth 2.5
2009-04-07 14:55 . 2009-04-07 14:55 58652 ----a-w c:\program files\AMVapp-uninst.exe
2009-04-07 14:55 . 2008-07-01 12:58 35365 ----a-w c:\windows\system32\uninstHelixYUV.exe
2009-04-07 14:54 . 2008-04-22 08:49 -------- d-----w c:\program files\AMVapp
2009-04-07 14:54 . 2009-04-07 14:54 67895 ----a-w c:\program files\Premiere AVS Plugin uninst.exe
2009-04-07 14:40 . 2009-04-07 14:40 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-07 14:15 . 2009-04-07 07:49 -------- d-----w c:\program files\Panda Security
2009-04-06 17:34 . 2005-03-17 22:09 79144 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-05 05:55 . 2008-10-12 13:41 -------- d-----w c:\program files\VideoReDoTVSuite
2009-04-05 05:44 . 2008-12-14 08:15 -------- d-----w c:\program files\QuickTime
2009-04-05 05:44 . 2005-05-30 23:15 -------- d-----w c:\program files\Quicken
2009-04-05 05:37 . 2005-05-30 23:03 -------- d-----w c:\program files\Microsoft Works
2009-04-05 05:29 . 2009-01-25 06:15 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-05 05:25 . 2005-03-17 21:39 -------- d-----w c:\program files\Google
2009-04-05 05:25 . 2008-08-11 05:20 -------- d-----w c:\program files\DVD Decrypter
2009-04-05 05:12 . 2006-11-25 04:39 -------- d-----w c:\program files\Apple Software Update
2009-04-05 05:12 . 2005-03-17 12:18 -------- d-----w c:\program files\Apoint
2009-04-05 04:52 . 2006-04-08 16:05 27648 -c--a-w c:\documents and settings\Shiva\g2mdlhlpx.exe
2009-04-05 04:26 . 2008-12-14 08:17 -------- d-----w c:\program files\iTunes
2009-04-05 04:24 . 2009-03-04 14:55 -------- d-----w c:\program files\GordianKnot
2009-03-29 14:15 . 2008-05-01 08:33 -------- d-----w c:\program files\Xvid
2009-03-26 10:24 . 2009-03-26 10:23 82 ----a-w C:\avgfree.exe.txt
2009-03-24 04:00 . 2005-05-30 22:50 98304 ----a-w c:\windows\DUMP7213.tmp
2009-03-18 04:11 . 2009-03-12 14:55 -------- d-----w c:\program files\ffdshow
2009-03-16 16:54 . 2008-02-20 08:16 -------- d-----w c:\documents and settings\LocalService\Application Data\Sony Corporation
2009-03-15 10:39 . 2008-03-03 12:37 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft
2009-02-22 12:11 . 2008-06-26 15:01 528288 ----a-w C:\video.pass
2007-07-20 03:42 . 2007-01-07 18:11 356352 -c--a-w c:\documents and settings\Shiva\cwshredder.dll
2005-12-23 18:56 . 2005-12-23 18:56 128 -c--a-w c:\documents and settings\Shiva\Local Settings\Application Data\fusioncache.dat
2005-03-17 22:09 . 2005-06-29 16:59 12328 -c--a-w c:\documents and settings\Shiva\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-05-08 06:41 . 2004-05-08 06:41 53361 ----a-w c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 . 2004-05-06 21:57 57344 ----a-w c:\program files\IM-Avisynth.prm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-08-26 4608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-17 5406720]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-04-05 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-08 1932568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
c:\documents and settings\Shiva\Start Menu\Programs\Startup\
Screen Saver Control.lnk - c:\windows\QStart.exe [2008-8-15 25600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-08 04:06 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 20:48 73728 ----a-w c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg30.dll
"msacm.avis"= ff_acm.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.LAGS"= lagarith.dll
"vidc.i420"= i420vfw.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2009-04-05 05:12 114688 -c--a-w c:\program files\Apoint\Apoint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreateCD_Reminder]
2004-07-16 18:17 53248 -c--a-w c:\windows\Sonysys\VAIO Recovery\Reminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXM6Patch_981116]
1998-11-30 23:04 497376 -c--a-w c:\windows\p_981116.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-02-23 00:34 126976 ----a-w c:\windows\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-07-23 02:40 176128 -c--a-w c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-02-23 00:37 155648 ----a-w c:\windows\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2009-04-05 05:29 1694208 ----a-w c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-02-17 22:31 5406720 ----a-w c:\windows\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-04-05 04:13 413696 ----a-w c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2009-04-05 05:52 81920 -c--a-w c:\progra~1\Sony\SONICS~1\SSAAD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Switcher.exe]
2009-04-05 05:54 167936 -c--a-w c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:08 28672 -c--a-w c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2009-04-05 04:23 151552 ----a-w c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2004-08-04 12:00 110592 ----a-w c:\windows\system32\bthprops.cpl
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\AxCmd.bin"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Adobe\\Adobe Audition 3.0\\Audition.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R3 DCamUSBSony4;Sony Visual Communication Camera;c:\windows\system32\DRIVERS\snyucam4.sys [2003-01-17 424127]
R3 DCamUSBSonyA4;Sony USB Microphone;c:\windows\system32\drivers\snyuflt4.sys [2003-01-17 6019]
R3 mlnxfltr;mlnxfltr;c:\windows\system32\drivers\mlnxfltr.sys [2004-07-22 9984]
R3 MultiLINX;MultiLINX;c:\windows\system32\drivers\mltlnx.sys [2004-07-22 11811]
R3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2006-11-07 61504]
R3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2006-11-07 9328]
R3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2006-11-07 97056]
R3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
R3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2006-11-07 86368]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-08 325640]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-08 298264]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2003-06-19 71961]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Shiva\Application Data\Mozilla\Firefox\Profiles\g2mddhrr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-14 15:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1482251334-1830561315-212462575-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,6a,23,32,f6,90,d5,4b,23,be,b6,60,9a,05,ec,4d,e6,39,cf,71,06,97,67,
23,fc,7f,e4,9b,63,96,18,d9,71,08,da,36,0b,68,a2,17,48,87,96,27,19,25,17,68,\
"??"=hex:cc,f4,94,dc,38,7e,ce,e1,4d,0b,ff,0c,d9,86,71,4c
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\VESWinlogon.dll
- - - - - - - > 'explorer.exe'(524)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: ~,10time:~,-3
ComboFix-quarantined-files.txt 2009-04-14 10:30
Pre-Run: 10,638,618,624 bytes free
Post-Run: 10,755,690,496 bytes free
218 --- E O F --- 2008-01-09 06:04
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 14, 2009 11:49:19
Records in database: 2043277
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
E:\
F:\
G:\
R:\
S:\
Scan statistics:
Files scanned: 96620
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:04:10
File name / Threat name / Threats count
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\gconsync.exe Infected: Virus.Win32.Sality.aa 1
The selected area was scanned.
It didnt vaccinate the usb drive
What happened ?
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\gconsync.exe
Click Submit/Send File
Please post back, to let me know the results.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
How are things running now ?
yukukuhi
2009-04-26, 14:19
File gconsync.exe received on 04.26.2009 14:12:22 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.26 Virus.W32.Sality!IK
AhnLab-V3 5.0.0.2 2009.04.26 Win32/Kashu.B
AntiVir 7.9.0.156 2009.04.25 W32/Sality.Y
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.25 -
Avast 4.8.1335.0 2009.04.25 Win32:Sality
AVG 8.5.0.287 2009.04.25 -
BitDefender 7.2 2009.04.26 Gen:Win32.Sality.Dam
CAT-QuickHeal 10.00 2009.04.25 W32.Sality.U
ClamAV 0.94.1 2009.04.26 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.26 Win32.Sector.17
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 Win32/Sality.AA
F-Prot 4.4.4.56 2009.04.25 -
F-Secure 8.0.14470.0 2009.04.25 Virus.Win32.Sality.aa
Fortinet 3.117.0.0 2009.04.26 W32/Sality.AA
GData 19 2009.04.26 Gen:Win32.Sality.Dam
Ikarus T3.1.1.49.0 2009.04.26 Virus.W32.Sality
K7AntiVirus 7.10.716 2009.04.25 Virus.Win32.Sality.AA
Kaspersky 7.0.0.125 2009.04.26 Virus.Win32.Sality.aa
McAfee 5596 2009.04.25 W32/Sality.gen.b
McAfee+Artemis 5596 2009.04.25 W32/Sality.gen.b
McAfee-GW-Edition 6.7.6 2009.04.26 Win32.Sality.Y
Microsoft 1.4602 2009.04.26 -
NOD32 4035 2009.04.25 Win32/Sality.NAR
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.26 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.26 -
Rising 21.26.62.00 2009.04.26 Win32.KUKU.GEN
Sophos 4.41.0 2009.04.26 W32/Sality-AM
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.26 W32.Sality.AE
TheHacker 6.3.4.1.314 2009.04.26 W32/Sality.gen
TrendMicro 8.700.0.1004 2009.04.25 Mal_Sality
VBA32 3.12.10.3 2009.04.25 -
ViRobot 2009.4.24.1708 2009.04.24 Win32.Sality.K
VirusBuster 4.6.5.0 2009.04.25 Win32.Sality.AO.Gen
Additional information
File size: 133136 bytes
MD5...: aa23054bf7be902885eb0ade9e1ed474
SHA1..: 5aa0a0c190bdd7e98b1c3b620d63d846f4b9194d
SHA256: 9063db98effe2b4a41146a3ec7f87b997a81f55f73e2f4e3b9ffa3bad91e5b73
SHA512: f56b7e33c050cef1b135f86fc800ba9e7c84ec7e54c5d7968252809861519ec8<br>47fcd19fa7998e69741f76db19474d472b9cc799d152afb17c9134a7061e1275
ssdeep: 3072:B0i8kP9pMZ2XDtieRWpeyHp/kEBU56Yrv/:BhPkmZdWp3HfW5zrv/<br>
PEiD..: -
TrID..: File type identification<br>Win64 Executable Generic (80.9%)<br>Win32 Executable Generic (8.0%)<br>Win32 Dynamic Link Library (generic) (7.1%)<br>Generic Win/DOS Executable (1.8%)<br>DOS Executable Generic (1.8%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1000<br>timedatestamp.....: 0x48f7b6ec (Thu Oct 16 21:49:32 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x2db4 0x2e00 5.64 710c333301a314161fb6ea35a5cef4e0<br>.data 0x4000 0xe30 0x1000 4.53 7af1d6a421f3356949163fa0453616de<br>.rdata 0x5000 0xe20 0x1000 4.39 da754ce0c1c4e4fd7c2b2b29c641d012<br>.bss 0x6000 0x80 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x7000 0x1480 0x1600 4.23 88f7bd148b0724140f9b2bffa84d740e<br>.rsrc 0x9000 0x588 0x600 4.10 2975bb240802a00e0e92c3df965554b5<br>.cdata 0xa000 0x14000 0x14000 8.00 c31a214b32df40169caac76fd3557045<br><br>( 7 imports ) <br>> KERNEL32.dll: CloseHandle, ConnectNamedPipe, CreateEventA, CreateNamedPipeA, EnterCriticalSection, ExitProcess, GetLastError, GetSystemTimeAsFileTime, InitializeCriticalSection, LeaveCriticalSection, ReadFile, ResetEvent, SetNamedPipeHandleState, SetUnhandledExceptionFilter, TerminateProcess, WaitForSingleObject, WriteFile<br>> msvcrt.dll: __getmainargs, __p__environ, __p__fmode, __set_app_type, _cexit, _get_osfhandle, _getpid, _iob, _onexit, _setjmp, _setmode, atexit, calloc, fprintf, free, fwrite, malloc, memcpy, rand, signal, sprintf, strchr, strcpy, strlen<br>> YSFileShim.dll: _YSCreateFileA, _YSCreateProcessA<br>> libobjc.i386.A.dll: __objc_exec_class, __objc_exec_class_ref, objc_exception_extract, objc_exception_match, objc_exception_throw, objc_exception_try_enter, objc_exception_try_exit, objc_msgSend, objc_msgSendSuper<br>> CoreFoundation: CFDataCreate, CFDataGetBytePtr, CFDataGetBytes, CFDataGetLength, CFDictionaryAddValue, CFDictionaryCreateMutable, CFDictionaryGetValue, CFMakeCollectable, CFNumberCreate, CFPreferencesCopyValue, CFPreferencesGetAppIntegerValue, CFPreferencesSetValue, CFPreferencesSynchronize, CFPropertyListCreateFromXMLData, CFPropertyListCreateXMLData, CFRelease, __CFConstantStringClassReference, __objc_class_name_NSException, __objc_class_name_NSObject, kCFAllocatorDefault, kCFBooleanFalse, kCFBooleanTrue, kCFCopyStringDictionaryKeyCallBacks, kCFPreferencesAnyHost, kCFPreferencesCurrentHost, kCFPreferencesCurrentUser, kCFTypeDictionaryValueCallBacks<br>> Foundation: NSDefaultRunLoopMode, NSLog, __objc_class_name_NSAutoreleasePool, __objc_class_name_NSBundle, __objc_class_name_NSDate, __objc_class_name_NSNotificationCenter, __objc_class_name_NSProcessInfo, __objc_class_name_NSRunLoop, __objc_class_name_NSString, __objc_class_name_NSUserDefaults<br>> GoogleContactSync: GoogleSyncConduitCopyUsername, GoogleSyncConduitRegisterClient, GoogleSyncConduitSetUsernameAndPassword, GoogleSyncConduitUnregisterClient, GoogleSyncConduitValidateUser, __objc_class_name_GConClient, __objc_class_name_GDataHTTPFetcher<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.26 Virus.W32.Sality!IK
AhnLab-V3 5.0.0.2 2009.04.26 Win32/Kashu.B
AntiVir 7.9.0.156 2009.04.25 W32/Sality.Y
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.25 -
Avast 4.8.1335.0 2009.04.25 Win32:Sality
AVG 8.5.0.287 2009.04.25 -
BitDefender 7.2 2009.04.26 Gen:Win32.Sality.Dam
CAT-QuickHeal 10.00 2009.04.25 W32.Sality.U
ClamAV 0.94.1 2009.04.26 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.26 Win32.Sector.17
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 Win32/Sality.AA
F-Prot 4.4.4.56 2009.04.25 -
F-Secure 8.0.14470.0 2009.04.25 Virus.Win32.Sality.aa
Fortinet 3.117.0.0 2009.04.26 W32/Sality.AA
GData 19 2009.04.26 Gen:Win32.Sality.Dam
Ikarus T3.1.1.49.0 2009.04.26 Virus.W32.Sality
K7AntiVirus 7.10.716 2009.04.25 Virus.Win32.Sality.AA
Kaspersky 7.0.0.125 2009.04.26 Virus.Win32.Sality.aa
McAfee 5596 2009.04.25 W32/Sality.gen.b
McAfee+Artemis 5596 2009.04.25 W32/Sality.gen.b
McAfee-GW-Edition 6.7.6 2009.04.26 Win32.Sality.Y
Microsoft 1.4602 2009.04.26 -
NOD32 4035 2009.04.25 Win32/Sality.NAR
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.26 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.26 -
Rising 21.26.62.00 2009.04.26 Win32.KUKU.GEN
Sophos 4.41.0 2009.04.26 W32/Sality-AM
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.26 W32.Sality.AE
TheHacker 6.3.4.1.314 2009.04.26 W32/Sality.gen
TrendMicro 8.700.0.1004 2009.04.25 Mal_Sality
VBA32 3.12.10.3 2009.04.25 -
ViRobot 2009.4.24.1708 2009.04.24 Win32.Sality.K
VirusBuster 4.6.5.0 2009.04.25 Win32.Sality.AO.Gen
Additional information
File size: 133136 bytes
MD5...: aa23054bf7be902885eb0ade9e1ed474
SHA1..: 5aa0a0c190bdd7e98b1c3b620d63d846f4b9194d
SHA256: 9063db98effe2b4a41146a3ec7f87b997a81f55f73e2f4e3b9ffa3bad91e5b73
SHA512: f56b7e33c050cef1b135f86fc800ba9e7c84ec7e54c5d7968252809861519ec8<br>47fcd19fa7998e69741f76db19474d472b9cc799d152afb17c9134a7061e1275
ssdeep: 3072:B0i8kP9pMZ2XDtieRWpeyHp/kEBU56Yrv/:BhPkmZdWp3HfW5zrv/<br>
PEiD..: -
TrID..: File type identification<br>Win64 Executable Generic (80.9%)<br>Win32 Executable Generic (8.0%)<br>Win32 Dynamic Link Library (generic) (7.1%)<br>Generic Win/DOS Executable (1.8%)<br>DOS Executable Generic (1.8%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1000<br>timedatestamp.....: 0x48f7b6ec (Thu Oct 16 21:49:32 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 7 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x2db4 0x2e00 5.64 710c333301a314161fb6ea35a5cef4e0<br>.data 0x4000 0xe30 0x1000 4.53 7af1d6a421f3356949163fa0453616de<br>.rdata 0x5000 0xe20 0x1000 4.39 da754ce0c1c4e4fd7c2b2b29c641d012<br>.bss 0x6000 0x80 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x7000 0x1480 0x1600 4.23 88f7bd148b0724140f9b2bffa84d740e<br>.rsrc 0x9000 0x588 0x600 4.10 2975bb240802a00e0e92c3df965554b5<br>.cdata 0xa000 0x14000 0x14000 8.00 c31a214b32df40169caac76fd3557045<br><br>( 7 imports ) <br>> KERNEL32.dll: CloseHandle, ConnectNamedPipe, CreateEventA, CreateNamedPipeA, EnterCriticalSection, ExitProcess, GetLastError, GetSystemTimeAsFileTime, InitializeCriticalSection, LeaveCriticalSection, ReadFile, ResetEvent, SetNamedPipeHandleState, SetUnhandledExceptionFilter, TerminateProcess, WaitForSingleObject, WriteFile<br>> msvcrt.dll: __getmainargs, __p__environ, __p__fmode, __set_app_type, _cexit, _get_osfhandle, _getpid, _iob, _onexit, _setjmp, _setmode, atexit, calloc, fprintf, free, fwrite, malloc, memcpy, rand, signal, sprintf, strchr, strcpy, strlen<br>> YSFileShim.dll: _YSCreateFileA, _YSCreateProcessA<br>> libobjc.i386.A.dll: __objc_exec_class, __objc_exec_class_ref, objc_exception_extract, objc_exception_match, objc_exception_throw, objc_exception_try_enter, objc_exception_try_exit, objc_msgSend, objc_msgSendSuper<br>> CoreFoundation: CFDataCreate, CFDataGetBytePtr, CFDataGetBytes, CFDataGetLength, CFDictionaryAddValue, CFDictionaryCreateMutable, CFDictionaryGetValue, CFMakeCollectable, CFNumberCreate, CFPreferencesCopyValue, CFPreferencesGetAppIntegerValue, CFPreferencesSetValue, CFPreferencesSynchronize, CFPropertyListCreateFromXMLData, CFPropertyListCreateXMLData, CFRelease, __CFConstantStringClassReference, __objc_class_name_NSException, __objc_class_name_NSObject, kCFAllocatorDefault, kCFBooleanFalse, kCFBooleanTrue, kCFCopyStringDictionaryKeyCallBacks, kCFPreferencesAnyHost, kCFPreferencesCurrentHost, kCFPreferencesCurrentUser, kCFTypeDictionaryValueCallBacks<br>> Foundation: NSDefaultRunLoopMode, NSLog, __objc_class_name_NSAutoreleasePool, __objc_class_name_NSBundle, __objc_class_name_NSDate, __objc_class_name_NSNotificationCenter, __objc_class_name_NSProcessInfo, __objc_class_name_NSRunLoop, __objc_class_name_NSString, __objc_class_name_NSUserDefaults<br>> GoogleContactSync: GoogleSyncConduitCopyUsername, GoogleSyncConduitRegisterClient, GoogleSyncConduitSetUsernameAndPassword, GoogleSyncConduitUnregisterClient, GoogleSyncConduitValidateUser, __objc_class_name_GConClient, __objc_class_name_GDataHTTPFetcher<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
Originally Posted by yukukuhi
It didnt vaccinate the usb drive
What happened ?
OTMoveIt
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe) and save it to your desktop
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\gconsync.exe
:Commands
[Purity]
[EmptyTemp]
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Download Dr. Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe) and save it to your desktop.
Double click on cureit.exe to run it.
Click on Start to start the scan.
Dr Web CureIt will prompt you. Click OK.
This will start an express scan. It shouldn't take too long.
When done, click on Options > Change settings.
Select the Scan tab. Uncheck (untick) Heuristics analysis box.
Select the Log file tab. Uncheck (untick) Maximum log file size box.
Click OK to apply the settings.
Select the Complete scan radio button, then click on the green triangle button on the right hand side.
It will start scanning. Please be patient as this scan can be long.
During the scan, if it finds any infected items, it will prompt you. Click Yes to all to cure the files.
Click on File > Save report list. Save this report to a convenient location.
yukukuhi
2009-05-02, 19:18
========== PROCESSES ==========
========== FILES ==========
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\gconsync.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Shiva\LOCALS~1\Temp\Perflib_Perfdata_694.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Shiva\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET1E18.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\JET1E28.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_244.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05022009_165854
Files moved on Reboot...
File C:\DOCUME~1\Shiva\LOCALS~1\Temp\Perflib_Perfdata_694.dat not found!
File C:\WINDOWS\temp\JET1E18.tmp not found!
File C:\WINDOWS\temp\JET1E28.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_244.dat not found!
Cureit Logs
Stress Relief.exe;C:\Documents and Settings\Shiva\My Documents\My Pictures;Joke.Puncher;Deleted.;
A0193697.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193706.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Trojan.DownLoad.29459;Deleted.;
A0193707.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Trojan.DownLoad.29459;Deleted.;
A0193720.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193723.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193726.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193727.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193728.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193729.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Trojan.Packed.2450;Deleted.;
A0193732.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193733.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193734.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193735.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193736.EXE;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193737.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193738.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193739.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193742.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193743.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193746.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193747.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193748.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193749.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193751.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0193754.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP749;Win32.Virut.56;Cured.;
A0194213.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP753;Win32.Virut.56;Cured.;
A0194214.exe/data002\new_update_all\kidpo\vCN.au3.tbl;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP753\A0194214.exe/data002;Win32.HLLW.Autoruner.based;;
data002;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP753;Container contains infected objects;;
A0194214.exe;C:\System Volume Information\_restore{3699CC5F-1579-4E53-B8A7-C7FB6C93C038}\RP753;Container contains infected objects;Deleted.;
1D.tmp;C:\WINDOWS\system32;Trojan.DownLoad.29459;Deleted.;
net.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;
taskmgr.exe;C:\WINDOWS\system32;Win32.Virut.56;Cured.;
gconsync.exe;C:\_OTMoveIt\MovedFiles\05022009_165854\Program Files\Common Files\Apple\Mobile Device Support\bin;Win32.Sector.17;Cured.;
ientqu.exe\encratep\compilation\5HgO5p4.au3.tbl;S:\ientqu.exe;Win32.HLLW.Autoruner.based;;
ientqu.exe;S:\;Container contains infected objects;Deleted.;
zoylxz.exe/data002\new_update_all\kidpo\vCN.au3.tbl;S:\zoylxz.exe/data002;Win32.HLLW.Autoruner.based;;
data002;S:\;Container contains infected objects;;
zoylxz.exe;S:\;Container contains infected objects;Deleted.;
ientqu.exe\encratep\compilation\5HgO5p4.au3.tbl;S:\ientqu.exe;Win32.HLLW.Autoruner.based;;
ientqu.exe;S:\;Container contains infected objects;Invalid path to file ;
zoylxz.exe/data002\new_update_all\kidpo\vCN.au3.tbl;S:\zoylxz.exe/data002;Win32.HLLW.Autoruner.based;;
data002;S:\;Container contains infected objects;;
zoylxz.exe;S:\;Container contains infected objects;Invalid path to file ;
ientqu.exe\encratep\compilation\5HgO5p4.au3.tbl;S:\ientqu.exe;Win32.HLLW.Autoruner.based;;
ientqu.exe;S:\;Container contains infected objects;Invalid path to file ;
zoylxz.exe/data002\new_update_all\kidpo\vCN.au3.tbl;S:\zoylxz.exe/data002;Win32.HLLW.Autoruner.based;;
data002;S:\;Container contains infected objects;;
zoylxz.exe;S:\;Container contains infected objects;Invalid path to file ;
DrWeb shows Virut, if I had seen signs of this before I would have recommended a reformat.
Please do the following
Download and Run ComboFix
Please delete the copy of ComboFix that you have and download an updated copy from one of the links below
ComboFix.exe 1 (http://subs.geekstogo.com/ComboFix.exe)
ComboFix.exe 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
ComboFix.exe 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
yukukuhi
2009-05-04, 11:54
ComboFix 09-05-02.4 - Shiva 05/03/2009 10:39.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.325 [GMT 5.5:30]
Running from: c:\documents and settings\Shiva\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :)
.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.
2009-05-02 17:28 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 17:28 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 17:28 . 2009-05-02 17:28 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 11:55 . 2009-05-02 12:01 -------- d-----w c:\documents and settings\Shiva\DoctorWeb
2009-05-02 11:28 . 2009-05-02 11:28 -------- d-----w C:\_OTMoveIt
2009-04-26 12:36 . 2009-05-03 05:16 85884 ----a-w c:\windows\system32\drivers\glaide32.sys
2009-04-14 10:53 . 2009-04-14 10:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-14 10:52 . 2009-04-14 10:52 -------- d-----w c:\program files\Java
2009-04-08 04:06 . 2009-05-02 11:42 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-08 04:06 . 2009-05-02 11:42 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-08 04:06 . 2009-05-02 17:21 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-08 04:05 . 2009-04-08 04:05 -------- d-----w c:\program files\AVG
2009-04-08 04:05 . 2009-04-08 04:05 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-07 15:07 . 2009-04-07 15:09 -------- d-----w c:\program files\VirtualDub-1.8.8
2009-04-07 14:55 . 2009-04-07 14:55 58652 ----a-w c:\program files\AMVapp-uninst.exe
2009-04-07 14:54 . 2009-04-07 14:54 67895 ----a-w c:\program files\Premiere AVS Plugin uninst.exe
2009-04-07 14:42 . 2009-04-07 14:42 -------- d-----w c:\documents and settings\Shiva\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-04-07 14:40 . 2009-04-07 14:40 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-07 14:15 . 2008-06-19 10:54 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-07 07:49 . 2009-04-07 14:15 -------- d-----w c:\program files\Panda Security
2009-04-06 06:42 . 2009-04-06 06:42 -------- d-----w c:\documents and settings\Shiva\Local Settings\Application Data\Mozilla
2009-04-05 04:11 . 2009-05-02 15:42 -------- d--h--w C:\$AVG8.VAULT$
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 05:13 . 2005-03-17 20:29 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 05:08 . 2005-03-17 19:06 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-02 12:52 . 2005-03-17 22:09 79144 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 08:47 . 2005-05-30 23:15 -------- d-----w c:\program files\Quicken
2009-04-30 02:41 . 2008-12-14 08:17 -------- d-----w c:\program files\iTunes
2009-04-27 16:31 . 2008-10-12 13:41 -------- d-----w c:\program files\VideoReDoTVSuite
2009-04-27 16:05 . 2008-08-11 05:20 -------- d-----w c:\program files\DVD Decrypter
2009-04-26 12:36 . 2009-04-26 12:36 0 ----a-w c:\windows\system32\1E.tmp
2009-04-26 12:36 . 2009-04-26 12:35 152064 ----a-w c:\windows\system32\1B.tmp
2009-04-26 12:35 . 2009-04-26 12:35 84 ----a-w c:\windows\system32\17.tmp
2009-04-09 09:57 . 2005-03-17 21:38 -------- d-----w c:\program files\Common Files\Adobe
2009-04-07 14:59 . 2008-04-22 08:49 -------- d-----w c:\program files\AviSynth 2.5
2009-04-07 14:55 . 2008-07-01 12:58 35365 ----a-w c:\windows\system32\uninstHelixYUV.exe
2009-04-07 14:54 . 2008-04-22 08:49 -------- d-----w c:\program files\AMVapp
2009-04-05 05:44 . 2008-12-14 08:15 -------- d-----w c:\program files\QuickTime
2009-04-05 05:37 . 2005-05-30 23:03 -------- d-----w c:\program files\Microsoft Works
2009-04-05 05:25 . 2005-03-17 21:39 -------- d-----w c:\program files\Google
2009-04-05 05:12 . 2006-11-25 04:39 -------- d-----w c:\program files\Apple Software Update
2009-04-05 05:12 . 2005-03-17 12:18 -------- d-----w c:\program files\Apoint
2009-04-05 04:52 . 2006-04-08 16:05 27648 -c--a-w c:\documents and settings\Shiva\g2mdlhlpx.exe
2009-04-05 04:24 . 2009-03-04 14:55 -------- d-----w c:\program files\GordianKnot
2009-03-29 14:15 . 2008-05-01 08:33 -------- d-----w c:\program files\Xvid
2009-03-26 14:51 . 2008-12-14 08:13 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job
2009-03-24 04:00 . 2005-05-30 22:50 98304 ----a-w c:\windows\DUMP7213.tmp
2009-03-18 04:11 . 2009-03-12 14:55 -------- d-----w c:\program files\ffdshow
2004-05-08 06:41 . 2004-05-08 06:41 53361 ----a-w c:\program files\Premiere AVS GUI.exe
2004-05-06 21:57 . 2004-05-06 21:57 57344 ----a-w c:\program files\IM-Avisynth.prm
.
((((((((((((((((((((((((((((( SnapShot@2009-04-14_10.28.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 05:15 . 2009-05-03 05:15 16384 c:\windows\Temp\Perflib_Perfdata_cc.dat
+ 2005-03-17 20:21 . 2004-08-04 12:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
+ 2009-04-08 04:06 . 2009-05-02 11:42 27784 c:\windows\system32\drivers\avgmfx86.sys
+ 2005-03-17 19:07 . 2004-08-04 12:00 13824 c:\windows\system32\dllcache\wscntfy.exe
+ 2005-03-17 20:22 . 2004-08-04 12:00 73728 c:\windows\system32\dllcache\wmplayer.exe
+ 2005-03-17 19:06 . 2004-08-04 12:00 42496 c:\windows\system32\dllcache\net.exe
+ 2005-03-17 19:05 . 2004-08-04 12:00 2589 c:\windows\I386\RUNW32.BAT
+ 2009-04-14 10:53 . 2009-04-14 10:53 148888 c:\windows\system32\javaws.exe
+ 2009-04-14 10:53 . 2009-04-14 10:53 144792 c:\windows\system32\javaw.exe
+ 2009-04-14 10:53 . 2009-04-14 10:53 144792 c:\windows\system32\java.exe
+ 2005-03-17 12:14 . 2009-05-02 12:46 279744 c:\windows\system32\FNTCACHE.DAT
- 2005-03-17 12:14 . 2009-04-06 17:29 279744 c:\windows\system32\FNTCACHE.DAT
+ 2005-03-17 19:07 . 2004-08-04 12:00 135680 c:\windows\system32\dllcache\taskmgr.exe
+ 2005-03-17 19:06 . 2004-08-04 12:00 514560 c:\windows\system32\dllcache\logonui.exe
- 2007-08-13 13:13 . 2007-12-06 11:01 625664 c:\windows\system32\dllcache\iexplore.exe
+ 2005-03-17 20:22 . 2007-12-06 11:01 625664 c:\windows\system32\dllcache\iexplore.exe
+ 2005-03-17 19:06 . 2004-08-04 12:00 388608 c:\windows\system32\dllcache\cmd.exe
+ 2008-12-14 08:18 . 2009-04-30 02:42 102400 c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
- 2008-12-14 08:18 . 2008-12-14 08:18 102400 c:\windows\Installer\{318AB667-3230-41B5-A617-CB3BF748D371}\iTunesIco.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-17 5406720]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 11:42 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 20:48 73728 ----a-w c:\windows\system32\VESWinlogon.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Shiva^Start Menu^Programs^Startup^Screen Saver Control.lnk]
path=c:\documents and settings\Shiva\Start Menu\Programs\Startup\Screen Saver Control.lnk
backup=c:\windows\pss\Screen Saver Control.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Program Files\\Alcohol Soft\\Alcohol 120\\AxCmd.bin"=
"c:\\Program Files\\DAEMON Tools Lite\\daemon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Adobe\\Adobe Audition 3.0\\Audition.exe"=
"c:\\Program Files\\QuickTime\\QTTask.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"2799:UDP"= 2799:UDP:Altova License Metering Port (UDP)
"2799:TCP"= 2799:TCP:Altova License Metering Port (TCP)
R1 ethektiy;ethektiy; [x]
R3 DCamUSBSony4;Sony Visual Communication Camera;c:\windows\system32\DRIVERS\snyucam4.sys [2003-01-17 424127]
R3 DCamUSBSonyA4;Sony USB Microphone;c:\windows\system32\drivers\snyuflt4.sys [2003-01-17 6019]
R3 mlnxfltr;mlnxfltr;c:\windows\system32\drivers\mlnxfltr.sys [2004-07-22 9984]
R3 MultiLINX;MultiLINX;c:\windows\system32\drivers\mltlnx.sys [2004-07-22 11811]
R3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\DRIVERS\w200bus.sys [2006-11-07 61504]
R3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w200mdfl.sys [2006-11-07 9328]
R3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\DRIVERS\w200mdm.sys [2006-11-07 97056]
R3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\w200mgmt.sys [2006-11-07 88560]
R3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\w200obex.sys [2006-11-07 86368]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-02 325896]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2003-06-19 71961]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57b64336-239d-11de-8c38-00014a829daa}]
\shell\autorun\command - D:\zoylxz.exe
\shell\explore\command - D:\zoylxz.exe
\shell\open\command - D:\zoylxz.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: aol.com\free
FF - ProfilePath - c:\documents and settings\Shiva\Application Data\Mozilla\Firefox\Profiles\g2mddhrr.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 10:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\s-1-5-21-1482251334-1830561315-212462575-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b4,6a,23,32,f6,90,d5,4b,23,be,b6,60,9a,05,ec,4d,e6,39,cf,71,06,97,67,
23,fc,7f,e4,9b,63,96,18,d9,71,08,da,36,0b,68,a2,17,48,87,96,27,19,25,17,68,\
"??"=hex:cc,f4,94,dc,38,7e,ce,e1,4d,0b,ff,0c,d9,86,71,4c
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ�•€|ù•A~�*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\VESWinlogon.dll
- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-03 10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 05:19
ComboFix2.txt 2009-04-14 10:31
Pre-Run: 11,106,656,256 bytes free
Post-Run: 11,105,730,560 bytes free
228 --- E O F --- 2008-01-09 06:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:48 AM, on 5/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163548670578
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?AuthParam=1239705470_bc50eeb1ac5b6d9939e1ab455f186815&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab&File=jinstall-6u13-windows-i586-jc.cab&BHost=javadl.sun.com
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Unknown owner - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Unknown owner - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe (file missing)
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe (file missing)
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe (file missing)
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9907 bytes
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 04, 2009 03:41:21
Records in database: 2125641
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
E:\
F:\
R:\
Scan statistics:
Files scanned: 98009
Threat name: 3
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 02:28:15
File name / Threat name / Threats count
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\A0194214.exe Infected: Packed.Win32.Klone.bj 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\csrcs.exe Infected: Packed.Win32.Klone.bj 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\ientqu.exe Infected: Trojan.Win32.Midgare.uik 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\ientqu_0.exe Infected: Trojan.Win32.Midgare.uik 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\ientqu_1.exe Infected: Trojan.Win32.Midgare.uik 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\zoylxz.exe Infected: Packed.Win32.Klone.bj 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\zoylxz_0.exe Infected: Packed.Win32.Klone.bj 1
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine\zoylxz_1.exe Infected: Packed.Win32.Klone.bj 1
C:\WINDOWS\system32\1B.tmp Infected: Backdoor.Win32.IEbooot.bwg 1
The selected area was scanned.
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINDOWS\system32\1B.tmp
Click Submit/Send File
Please post back, to let me know the results.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
USBNoRisk
Please download USBNoRisk (http://amf.mycity.co.yu/personal/bobby/USBNoRisk/usbnorisk.exe) to your Desktop and run it by double-clicking the program's icon
wait a couple of seconds for initial scan to be done
connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
if there are more USB storage devices to scan, please take a note about the order in which these were connected
after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
yukukuhi
2009-05-05, 05:01
Jotti
File: 1B.tmp
Status: INFECTED/MALWARE
MD5: 81bde83952d78aa31d89954926c70548
Packers detected: -
Scan taken on 04 May 2009 15:48:10 (GMT)
A-Squared Found Trojan.Rlsloupa!IK
AntiVir Found TR/Dropper.Gen
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found SpamTool.CSH
BitDefender Found Trojan.Rlsloupa.A
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Backdoor.Win32.IEbooot.bwg
Ikarus Found Trojan.Rlsloupa
Kaspersky Anti-Virus Found Backdoor.Win32.IEbooot.bwg
NOD32 Found a variant of Win32/SpamTool.Rlsloup.NAA
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.VUF
Quick Heal Found Backdoor.IEbooot.bwg
Sophos Antivirus Found Mal/UnkPack-Fam
VirusBuster Found Backdoor.IEbooot.GG
VBA32 Found Backdoor.Win32.IEbooot.bwg
USBNoRisk 2.1 by bobby
Started at 5/5/2009 8:13:05 AM
Scanning for connected USB Mass storage...
----------------------------------------
========================================
Scanning for other storage...
----------------------------------------
C: {01069794-e8bd-11d9-86cc-806d6172696f}
========================================
Scanning fixed storage for autorun.inf files...
----------------------------------------
No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 01069794-e8bd-11d9-86cc-806d6172696f
----------------------------------------
========================================
Initial scan finished!
========================================
New device connected at 5/5/2009 8:13:43 AM
Scanning for connected USB mass storage...
----------------------------------------
D: {57b64336-239d-11de-8c38-00014a829daa}
Added D:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on D:
----------------------------------------
autorun.inf found on D:
----------------------------------------
File D:\autorun.inf renamed successfully
Content of D:\autorun.inf.blocked
----------------------------------------
;jmRXueBiAvjyhiKXMMQlmSebCmJaLMjqAyRsHaDVthDWrQhrOtMBVUGTWnKaIhnPTcJsTpz
;uPAkDGpYqNmjXlMNNahDfyasAqknEhMJHdltWWMYJUJStEdrerfxIoofbmWLQmwiS
;yBUBBbbdOsgXAlTZkjph
;nWUoZYB
;qPURmQNMrSIHVDIMhFZYKamQRiOqhewjXQQDXUIDIQOBMyE
;uAODxcRonUKcTLDTOHirRKgDmrLUmkUFZJifWNbDJYcfJVsfYSmUtpzYzrBIkiHieOCiYreejjIotRL
;rejwrwmZvKtvQqdiHApJxoKywdQKCIkXCIRlSKyFIDFkLIiombqtjkfdlzkqSloFZazaAOTGaG
;LHYB
;45F27A231FB2BAE1D86A005C0833BEDD8F8F0E9EB727D2C7BFC81571
;FYKsRxzxefgc
;RjMUmaVBxfYIBiIOdCkYKUESPgCRMvHtAYAcPkREiHHmWxWBlklKBlYmyFYXRpkcKNRnjymKliolE
;yqthjQmfDd
[AutoRun]
open=zoylxz.exe
;VdBGHhIecHAqtzkStaWgdHvODksI
;YeRssKyPobfYbuKLOFtjxtjVmazPcnrBtMJPZQhmqlyqVxpunf
;WqrRVLLxsDXOxLCdbgnupno
;OSGqFimi
;AabKoQrSJOHKVNgbrwzYzZandZiHynyELDqyzrqIqTjtvymmBxTOIwhzJCoZlQxUYiTgpSp
Icon=%system%\shell32.dll,7
;uMdsmcBLWQWCMELqZSrbMAOUmbSMcSouSRGVtHExEMJSIaNsgwGEcTC
UseAutoPlay=1
action=Open Drive
action= @zoylxz.exe
;IrRMggpZ
shell\open\Command=zoylxz.exe
;ZNzVmSJczGHGfjkzBdTpvJxIGFlO
shell\open\Default=1
;ggrObObaUPmgRZjevzHvMxYdiDwsRiMPBBqyFYyZLmklpbrtJUNHjEMV
;iWnrYPCxkISXOQ
shell\explore\Command=zoylxz.exe
;RzPGNVyYPYFqXvJjUr
----------------------------------------
Files referenced from D:\autorun.inf.blocked
----------------------------------------
None
----------------------------------------
Sanitized mountpoint for 57b64336-239d-11de-8c38-00014a829daa
----------------------------------------
No Desktop.ini files found on D:
----------------------------------------
No mimics found on drive D:
========================================
========================================
Removed D:
========================================
New device connected at 5/5/2009 8:15:59 AM
Scanning for connected USB mass storage...
----------------------------------------
S: {ea9c8f29-e84a-11dc-898e-00014a829daa}
Added S:
========================================
Scanning USB mass storage for files...
----------------------------------------
No blocked files found on S:
----------------------------------------
No Autorun.inf files found on S:
No mountpoint found for ea9c8f29-e84a-11dc-898e-00014a829daa
----------------------------------------
No Desktop.ini files found on S:
----------------------------------------
No mimics found on drive S:
========================================
========================================
========================================
========================================
========================================
========================================
Removed S:
========================================
I think you got very lucky !!!
How are things running now ?
OTMoveIt
Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine
C:\WINDOWS\system32\1B.tmp
:Commands
Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
yukukuhi
2009-05-06, 04:50
========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\Shiva\DoctorWeb\Quarantine moved successfully.
C:\WINDOWS\system32\1B.tmp moved successfully.
========== COMMANDS ==========
OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05062009_081819
How are things running now ?
yukukuhi
2009-05-10, 13:43
I think the malwares have gone, Thank you.. And which firewall should i use for an 512 MB Ram.
And which firewall should i use for an 512 MB Ram.
To be honest, I prefer not to recommend Firewalls, usefulness versus ease of use makes them a rather personal choice.
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
(XP) Click START then RUN
(Vista) Click START, type RUN into the search box, then click Enter
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Uninstall OTMoveIt
Open OTMoveIt Click Cleanup,
When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.