Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with multiple trojans possibly Virtumonde


  • This topic is locked This topic is locked
12 replies to this topic

#1 ein

ein

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 30 April 2009 - 01:09 AM

When the computer is turned on I have to chose between 2 different "hardware profiles", I cannot open any email in my hotmail account (I can log in and see the email list but not open any emails), when search results are clicked on from google I'm redirected to random sites, expolre.exe randomly shuts down, Dr. MortemPostmortem Debugger errors (I don't think I spelled that right) plus some lag.
Also I think (but I'm not sure) my external hard-drive might have an infection or two as well...

Some unknown processes are trying to get through zonealarm
xpre.tmp
prnet.tmp
mshta.exe
rases.exe
gereviba.exe
1014543931.exe
evwcyabld.exe
atel.exe
1097689788.exe
402988908.exe
frmwrk32.exe
267561543.exe
158844247.exe

And these are a few things Spybot picked up
Virtumonde.sdn
pws.ldpinchie
win32.tdss.rnk
microsoft,windows.explorer
dnsflush.cws

I run windows XP media edition and my comp is a sony vaio VGN-FE690G

Please help!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Morgaine at 23:01:29.99 on Wed 04/29/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.937 [GMT -6:00]

AV: eTrust ITM *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Morgaine\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://metroconnect.mscd.edu/cp/home/loginf
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
BHO: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus CX5800F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiala.exe /fu "c:\windows\temp\E_S4E6.tmp" /EF "HKCU"
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [prnet] "c:\windows\system32\prnet.tmp"
uRun: [autochk] rundll32.exe c:\docume~1\morgaine\protect.dll,_IWMPEvents@16
uRun: [Diagnostic Manager] c:\docume~1\morgaine\locals~1\temp\1823395667.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [<NO NAME>]
mRun: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [EPSON Stylus CX5800F Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [prnet] "c:\windows\system32\prnet.tmp"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRunOnce: [SpybotDeletingA7731] command.com /c del "c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll_old"
mRunOnce: [SpybotDeletingC9081] cmd.exe /c del "c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll_old"
mRunOnce: [SpybotDeletingA5965] command.com /c del "c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll_old"
mRunOnce: [SpybotDeletingC813] cmd.exe /c del "c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll_old"
dRun: [EPSON Stylus CX5800F Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiala.exe /fu "c:\windows\temp\E_S4EC.tmp" /EF "HKCU"
dRun: [EPSON Stylus CX5800F Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\e_fatiala.exe /fu "c:\windows\temp\E_S4EF.tmp" /EF "HKCU"
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\morgaine\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\windows\system32\vidimofu.dll c:\windows\system32\dojubapu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dojubapu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\dojubapu.dll
STS: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll
LSA: Notification Packages = scecli c:\windows\system32\vidimofu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\morgaine\applic~1\mozilla\firefox\profiles\i0ulny20.default\
FF - prefs.js: browser.startup.homepage - msn.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-28 64160]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-27 353672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2009-2-4 991232]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-15 29184]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-15 226304]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-04-29 21:51 24,064 a--sh--- c:\documents and settings\morgaine\protect.dll
2009-04-29 20:51 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-29 20:51 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-29 03:19 46 a------- c:\windows\system32\p2hhr.bat
2009-04-29 03:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CA
2009-04-29 01:15 28,672 a------- c:\windows\system32\loader49.exe
2009-04-29 00:45 21,504 a------- c:\windows\system32\ak1.exe
2009-04-29 00:45 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll
2009-04-29 00:29 182,911 a------- c:\windows\system32\prnet.tmp
2009-04-15 20:48 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:48 35,328 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-15 20:48 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:48 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:48 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:48 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:48 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 20:48 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:48 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:48 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-07 00:21 118,272 a------- c:\windows\system32\hpz3l5ha.dll
2009-04-07 00:20 21,568 a------- c:\windows\system32\drivers\HPZius12.sys
2009-04-07 00:20 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys
2009-04-07 00:20 49,920 a------- c:\windows\system32\drivers\HPZid412.sys
2009-04-07 00:20 267,864 a------- c:\windows\system32\hpzids01.dll
2009-04-07 00:20 958,464 a------- c:\windows\system32\hpotiop4.dll
2009-04-07 00:20 364,544 a------- c:\windows\system32\hppldcoi.dll
2009-04-07 00:20 309,760 a------- c:\windows\system32\difxapi.dll
2009-04-07 00:20 303,104 a------- c:\windows\system32\hpovst11.dll
2009-04-07 00:20 675,840 a------- c:\windows\system32\hpowiax4.dll
2009-04-07 00:20 <DIR> --d----- c:\program files\HP
2009-04-07 00:17 139,670 a------- c:\windows\hpoins15.dat
2009-04-07 00:17 1,039 -------- c:\windows\hpomdl15.dat
2009-04-07 00:16 505,214 a------- c:\windows\system32\autorun.inf
2009-04-06 23:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WEBREG
2009-04-06 23:41 <DIR> --d----- c:\program files\common files\HP
2009-04-06 23:40 <DIR> --d----- c:\program files\common files\Hewlett-Packard

==================== Find3M ====================

2009-04-29 00:43 52,224 a--sh--- c:\windows\system32\gereviba.exe
2009-04-21 15:07 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-21 15:06 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-01 22:07 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-27 08:07 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-16 00:10 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-02-09 06:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 05:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 04:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 04:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 13:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 23:02:19.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 May 2009 - 11:39 AM

Uninstall Spybot S&D and then do below...



Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 ein

ein
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 02 May 2009 - 06:59 PM

I've attached copy's of both the logs for convince sake. Thanks for helping!


Combo fix log

ComboFix 09-05-02.4 - Morgaine 05/02/2009 17:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -6:00]
Running from: c:\documents and settings\Morgaine\Desktop\ComboFix.exe
AV: eTrust ITM *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\documents and settings\Morgaine\Application Data\WinPatrol
2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\program files\BillP Studios
2009-04-29 09:18 . 2009-04-29 09:18 -------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-04-16 02:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:48 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 02:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 02:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-----w c:\documents and settings\Morgaine\Application Data\HP
2009-04-07 06:22 . 2009-04-07 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-07 06:21 . 2007-03-28 20:01 118272 ----a-w c:\windows\system32\hpz3l5ha.dll
2009-04-07 06:20 . 2007-03-08 19:20 21568 ----a-w c:\windows\system32\drivers\HPZius12.sys
2009-04-07 06:20 . 2007-03-08 19:20 16496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
2009-04-07 06:20 . 2007-03-08 19:20 49920 ----a-w c:\windows\system32\drivers\HPZid412.sys
2009-04-07 06:20 . 2007-03-31 05:29 267864 ----a-w c:\windows\system32\hpzids01.dll
2009-04-07 06:20 . 2007-03-17 20:39 958464 ----a-w c:\windows\system32\hpotiop4.dll
2009-04-07 06:20 . 2007-03-17 20:39 303104 ----a-w c:\windows\system32\hpovst11.dll
2009-04-07 06:20 . 2007-03-08 19:20 364544 ----a-w c:\windows\system32\hppldcoi.dll
2009-04-07 06:20 . 2007-03-08 19:20 309760 ----a-w c:\windows\system32\difxapi.dll
2009-04-07 06:20 . 2007-03-17 20:39 675840 ----a-w c:\windows\system32\hpowiax4.dll
2009-04-07 06:20 . 2009-04-07 05:44 -------- d-----w c:\program files\HP
2009-04-07 06:17 . 2009-04-07 05:46 139670 ----a-w c:\windows\hpoins15.dat
2009-04-07 06:17 . 2007-09-21 12:46 1039 ------w c:\windows\hpomdl15.dat
2009-04-07 05:47 . 2009-04-07 05:47 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-04-07 05:44 . 2009-04-07 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-07 05:41 . 2009-04-07 05:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\program files\Common Files\HP
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Hewlett-Packard
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Common Files\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 23:50 . 2006-03-16 01:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 23:44 . 2009-02-28 08:34 -------- d-----w c:\program files\Lavasoft
2009-05-02 23:42 . 2009-02-28 08:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-02 08:09 . 2009-05-02 08:10 2107904 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-05-02 07:38 . 2009-02-28 08:39 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-30 04:22 . 2009-02-27 12:52 -------- d-----w c:\program files\Trend Micro
2009-04-28 19:41 . 2009-04-28 19:43 2046976 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-28 04:42 . 2009-04-07 20:58 2102165 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-24 06:49 . 2009-04-24 06:51 2043392 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-02 04:08 . 2009-04-03 20:12 2487808 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-02 04:07 . 2009-02-27 14:09 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-02 03:00 . 2009-03-02 17:37 -------- d-----w c:\program files\eclipse
2009-04-02 01:43 . 2006-03-16 03:45 -------- d-----w c:\program files\Java
2009-03-28 06:00 . 2009-03-28 06:00 -------- d-----w c:\program files\Any Video Converter
2009-03-24 07:52 . 2009-03-12 07:04 -------- d-----w c:\program files\Aspell
2009-03-19 09:04 . 2009-03-06 19:58 -------- d-----w c:\program files\EPSON
2009-03-15 06:33 . 2009-03-15 06:32 -------- d-----w c:\program files\iTunes
2009-03-15 06:32 . 2009-03-15 06:32 -------- d-----w c:\program files\iPod
2009-03-15 06:32 . 2009-03-15 06:28 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 06:31 . 2009-03-15 06:31 -------- d-----w c:\program files\Bonjour
2009-03-15 06:31 . 2009-03-15 06:30 -------- d-----w c:\program files\QuickTime
2009-03-15 06:29 . 2009-03-15 06:29 -------- d-----w c:\program files\Apple Software Update
2009-03-12 17:43 . 2009-03-12 17:45 1676800 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-11 23:09 . 2009-03-11 23:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-11 23:08 . 2009-03-11 23:07 -------- d-----w c:\program files\LeapFrog
2009-03-10 23:43 . 2009-02-27 13:04 -------- d-----w c:\program files\Quicken
2009-03-10 19:29 . 2009-02-28 08:45 -------- d-----w c:\program files\uTorrent
2009-03-09 11:19 . 2009-03-02 17:11 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 00:40 . 2009-02-27 13:13 -------- d-----w c:\program files\Opera
2009-03-07 05:38 . 2009-03-05 10:57 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-06 20:14 . 2009-03-06 19:48 -------- d-----w c:\program files\OverDrive Media Console
2009-03-06 14:22 . 2006-03-15 23:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 10:54 . 2006-03-16 03:46 -------- d-----w c:\program files\Windows Media Connect
2009-03-05 10:36 . 2009-03-05 10:36 137 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2009-03-05 10:35 . 2009-03-01 08:20 126 ----a-w c:\documents and settings\mom\Local Settings\Application Data\fusioncache.dat
2009-02-28 08:47 . 2009-02-28 08:47 0 ----a-w c:\windows\nsreg.dat
2009-02-28 08:27 . 2006-03-16 20:29 42032 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-27 14:07 . 2006-03-16 01:14 86811 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-27 13:25 . 2009-02-27 13:25 4 ----a-w c:\windows\Pix11.dat
2009-02-16 06:10 . 2009-02-27 14:09 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2006-03-15 23:55 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-03-15 23:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-03-15 23:55 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-03-15 23:55 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-03-15 23:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-03-15 23:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-03-15 23:55 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-03-15 23:56 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-03-15 23:56 56832 ----a-w c:\windows\system32\secur32.dll
2009-03-06 19:27 . 2009-02-28 08:46 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-06 19:27 . 2009-02-28 08:46 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-06 19:27 . 2009-02-28 08:46 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-06 19:27 . 2009-02-28 08:46 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-06 19:27 . 2009-02-28 08:46 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_23.15.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 23:50 . 2009-05-02 23:50 16384 c:\windows\Temp\Perflib_Perfdata_9b8.dat
+ 2009-05-02 23:50 . 2009-05-02 23:50 16384 c:\windows\Temp\Perflib_Perfdata_90c.dat
+ 2006-03-16 01:19 . 2009-05-02 23:50 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-16 01:19 . 2009-05-02 23:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-16 01:19 . 2009-05-02 23:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2005-06-13 258048]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-17 407632]
"EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-02-05 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5800F Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"EPSON Stylus CX5800F Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-10-11 1724416]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd; [x]
R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2009-02-05 991232]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2005-12-27 29184]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-22 226304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a30e6c60-056f-11de-9f6c-0013a908f4a4}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://metroconnect.mscd.edu/cp/home/loginf
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Morgaine\Application Data\Mozilla\Firefox\Profiles\i0ulny20.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthyegspyprqlxhyudjwmatnbbniqjivecm.sys 83968 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthfkotbnimvw.tmp 133632 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthqbftewivrc.tmp 107520 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\OVFSTHVPUXOUQDRT.TMP.0.AVB 343040 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll 60928 bytes executable
c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll 18944 bytes executable
c:\windows\system32\ovfsthewopwgesawderjlvwhpkrexugelatvtc.dat 50379 bytes
c:\windows\system32\ovfsthftjtakrpchvvneldrqxyexupknomnlty.dll 18432 bytes executable
c:\windows\system32\ovfsthppurmdnjirlahkdmmixewbafklllcrht.dat 43 bytes

scan completed successfully
hidden files: 10

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1196)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-05-02 17:55
ComboFix-quarantined-files.txt 2009-05-02 23:54
ComboFix2.txt 2009-05-02 23:31
ComboFix3.txt 2009-05-02 23:21

Pre-Run: 43,640,143,872 bytes free
Post-Run: 43,634,651,136 bytes free

233 --- E O F --- 2009-05-02 23:19


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:35 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metroconnect.mscd.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus CX5800F Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S4EC.tmp" /EF "HKCU" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus CX5800F Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S4EF.tmp" /EF "HKCU" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus CX5800F Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S4EC.tmp" /EF "HKCU" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11186 bytes

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 May 2009 - 07:50 PM

I see you run ComboFix three times in a row.. Don't do that again.. I asked you run ComboFix only once.. If anything happen due to you run something else that I don't request, I won't be responsible..

Find the C:\combofix2.txt and C:\combofix3.txt and post the log here

Edited by fenzodahl512, 02 May 2009 - 07:51 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 ein

ein
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 02 May 2009 - 08:58 PM

Sorry about that. I realized that I didn't uninstall spybot so I rescanned. I havnt slept in awhile (finals).
I will be more careful in the future...

ComboFix 2

ComboFix 09-05-02.4 - Morgaine 05/02/2009 17:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -6:00]
Running from: c:\documents and settings\Morgaine\Desktop\ComboFix.exe
AV: eTrust ITM *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\documents and settings\Morgaine\Application Data\WinPatrol
2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\program files\BillP Studios
2009-04-29 09:18 . 2009-04-29 09:18 -------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-04-16 02:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:48 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 02:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 02:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-----w c:\documents and settings\Morgaine\Application Data\HP
2009-04-07 06:22 . 2009-04-07 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-07 06:21 . 2007-03-28 20:01 118272 ----a-w c:\windows\system32\hpz3l5ha.dll
2009-04-07 06:20 . 2007-03-08 19:20 21568 ----a-w c:\windows\system32\drivers\HPZius12.sys
2009-04-07 06:20 . 2007-03-08 19:20 16496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
2009-04-07 06:20 . 2007-03-08 19:20 49920 ----a-w c:\windows\system32\drivers\HPZid412.sys
2009-04-07 06:20 . 2007-03-31 05:29 267864 ----a-w c:\windows\system32\hpzids01.dll
2009-04-07 06:20 . 2007-03-17 20:39 958464 ----a-w c:\windows\system32\hpotiop4.dll
2009-04-07 06:20 . 2007-03-17 20:39 303104 ----a-w c:\windows\system32\hpovst11.dll
2009-04-07 06:20 . 2007-03-08 19:20 364544 ----a-w c:\windows\system32\hppldcoi.dll
2009-04-07 06:20 . 2007-03-08 19:20 309760 ----a-w c:\windows\system32\difxapi.dll
2009-04-07 06:20 . 2007-03-17 20:39 675840 ----a-w c:\windows\system32\hpowiax4.dll
2009-04-07 06:20 . 2009-04-07 05:44 -------- d-----w c:\program files\HP
2009-04-07 06:17 . 2009-04-07 05:46 139670 ----a-w c:\windows\hpoins15.dat
2009-04-07 06:17 . 2007-09-21 12:46 1039 ------w c:\windows\hpomdl15.dat
2009-04-07 05:47 . 2009-04-07 05:47 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-04-07 05:44 . 2009-04-07 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-07 05:41 . 2009-04-07 05:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\program files\Common Files\HP
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Hewlett-Packard
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Common Files\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 23:26 . 2006-03-16 01:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 08:09 . 2009-05-02 08:10 2107904 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-05-02 07:38 . 2009-02-28 08:39 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-30 04:22 . 2009-02-27 12:52 -------- d-----w c:\program files\Trend Micro
2009-04-28 19:41 . 2009-04-28 19:43 2046976 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-28 05:31 . 2009-02-28 08:31 -------- d-----w c:\program files\SpywareBlaster
2009-04-28 04:42 . 2009-04-07 20:58 2102165 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-24 06:49 . 2009-04-24 06:51 2043392 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-21 21:07 . 2009-03-05 09:36 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-21 21:06 . 2009-02-28 08:39 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-02 04:08 . 2009-04-03 20:12 2487808 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-02 04:07 . 2009-02-27 14:09 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-02 03:00 . 2009-03-02 17:37 -------- d-----w c:\program files\eclipse
2009-04-02 01:43 . 2006-03-16 03:45 -------- d-----w c:\program files\Java
2009-03-28 06:00 . 2009-03-28 06:00 -------- d-----w c:\program files\Any Video Converter
2009-03-24 07:52 . 2009-03-12 07:04 -------- d-----w c:\program files\Aspell
2009-03-19 09:04 . 2009-03-06 19:58 -------- d-----w c:\program files\EPSON
2009-03-15 06:33 . 2009-03-15 06:32 -------- d-----w c:\program files\iTunes
2009-03-15 06:32 . 2009-03-15 06:32 -------- d-----w c:\program files\iPod
2009-03-15 06:32 . 2009-03-15 06:28 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 06:31 . 2009-03-15 06:31 -------- d-----w c:\program files\Bonjour
2009-03-15 06:31 . 2009-03-15 06:30 -------- d-----w c:\program files\QuickTime
2009-03-15 06:29 . 2009-03-15 06:29 -------- d-----w c:\program files\Apple Software Update
2009-03-13 09:07 . 2009-03-10 09:16 -------- d-----w c:\program files\Vidalia Bundle
2009-03-12 17:43 . 2009-03-12 17:45 1676800 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-12 03:59 . 2009-02-28 08:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 23:09 . 2009-03-11 23:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-11 23:08 . 2009-03-11 23:07 -------- d-----w c:\program files\LeapFrog
2009-03-10 23:43 . 2009-02-27 13:04 -------- d-----w c:\program files\Quicken
2009-03-10 19:29 . 2009-02-28 08:45 -------- d-----w c:\program files\uTorrent
2009-03-09 11:19 . 2009-03-02 17:11 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 00:40 . 2009-02-27 13:13 -------- d-----w c:\program files\Opera
2009-03-07 05:38 . 2009-03-05 10:57 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-06 20:14 . 2009-03-06 19:48 -------- d-----w c:\program files\OverDrive Media Console
2009-03-06 14:22 . 2006-03-15 23:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 10:54 . 2006-03-16 03:46 -------- d-----w c:\program files\Windows Media Connect
2009-03-05 10:36 . 2009-03-05 10:36 137 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2009-03-05 10:35 . 2009-03-01 08:20 126 ----a-w c:\documents and settings\mom\Local Settings\Application Data\fusioncache.dat
2009-02-28 08:47 . 2009-02-28 08:47 0 ----a-w c:\windows\nsreg.dat
2009-02-28 08:27 . 2006-03-16 20:29 42032 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-27 14:07 . 2006-03-16 01:14 86811 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-27 13:25 . 2009-02-27 13:25 4 ----a-w c:\windows\Pix11.dat
2009-02-16 06:10 . 2009-02-27 14:09 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2006-03-15 23:55 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-03-15 23:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-03-15 23:55 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-03-15 23:55 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-03-15 23:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-03-15 23:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-03-15 23:55 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-03-15 23:56 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-03-15 23:56 56832 ----a-w c:\windows\system32\secur32.dll
2009-03-06 19:27 . 2009-02-28 08:46 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-06 19:27 . 2009-02-28 08:46 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-06 19:27 . 2009-02-28 08:46 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-06 19:27 . 2009-02-28 08:46 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-06 19:27 . 2009-02-28 08:46 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_23.15.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 23:25 . 2009-05-02 23:25 16384 c:\windows\Temp\Perflib_Perfdata_a14.dat
+ 2009-05-02 23:25 . 2009-05-02 23:25 16384 c:\windows\Temp\Perflib_Perfdata_9a4.dat
+ 2006-03-16 01:19 . 2009-05-02 23:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-16 01:19 . 2009-05-02 23:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-16 01:19 . 2009-05-02 23:25 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2005-06-13 258048]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-17 407632]
"EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-21 516440]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-02-05 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5800F Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"EPSON Stylus CX5800F Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-10-11 1724416]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-21 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-21 953168]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2009-02-05 991232]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2005-12-27 29184]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-22 226304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a30e6c60-056f-11de-9f6c-0013a908f4a4}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://metroconnect.mscd.edu/cp/home/loginf
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Morgaine\Application Data\Mozilla\Firefox\Profiles\i0ulny20.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthyegspyprqlxhyudjwmatnbbniqjivecm.sys 83968 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthfkotbnimvw.tmp 133632 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthqbftewivrc.tmp 107520 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\OVFSTHVPUXOUQDRT.TMP.0.AVB 343040 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll 60928 bytes executable
c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll 18944 bytes executable
c:\windows\system32\ovfsthewopwgesawderjlvwhpkrexugelatvtc.dat 47115 bytes
c:\windows\system32\ovfsthftjtakrpchvvneldrqxyexupknomnlty.dll 18432 bytes executable
c:\windows\system32\ovfsthppurmdnjirlahkdmmixewbafklllcrht.dat 43 bytes

scan completed successfully
hidden files: 10

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1208)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-05-02 17:31
ComboFix-quarantined-files.txt 2009-05-02 23:30
ComboFix2.txt 2009-05-02 23:21

Pre-Run: 43,339,177,984 bytes free
Post-Run: 43,333,578,752 bytes free

242 --- E O F --- 2009-05-02 23:19


ComboFix 3

ComboFix 09-05-02.4 - Morgaine 05/02/2009 17:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -6:00]
Running from: c:\documents and settings\Morgaine\Desktop\ComboFix.exe
AV: eTrust ITM *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\Morgaine\protect.dll
c:\documents and settings\Morgaine\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\setup.exe
c:\windows\system32\autochk.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\gereviba.exe
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\p2hhr.bat
c:\windows\system32\winglsetup.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\documents and settings\Morgaine\Application Data\WinPatrol
2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\program files\BillP Studios
2009-04-29 09:18 . 2009-04-29 09:18 -------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-04-16 02:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:48 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 02:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 02:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-----w c:\documents and settings\Morgaine\Application Data\HP
2009-04-07 06:22 . 2009-04-07 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-07 06:21 . 2007-03-28 20:01 118272 ----a-w c:\windows\system32\hpz3l5ha.dll
2009-04-07 06:20 . 2007-03-08 19:20 21568 ----a-w c:\windows\system32\drivers\HPZius12.sys
2009-04-07 06:20 . 2007-03-08 19:20 16496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
2009-04-07 06:20 . 2007-03-08 19:20 49920 ----a-w c:\windows\system32\drivers\HPZid412.sys
2009-04-07 06:20 . 2007-03-31 05:29 267864 ----a-w c:\windows\system32\hpzids01.dll
2009-04-07 06:20 . 2007-03-17 20:39 958464 ----a-w c:\windows\system32\hpotiop4.dll
2009-04-07 06:20 . 2007-03-17 20:39 303104 ----a-w c:\windows\system32\hpovst11.dll
2009-04-07 06:20 . 2007-03-08 19:20 364544 ----a-w c:\windows\system32\hppldcoi.dll
2009-04-07 06:20 . 2007-03-08 19:20 309760 ----a-w c:\windows\system32\difxapi.dll
2009-04-07 06:20 . 2007-03-17 20:39 675840 ----a-w c:\windows\system32\hpowiax4.dll
2009-04-07 06:20 . 2009-04-07 05:44 -------- d-----w c:\program files\HP
2009-04-07 06:17 . 2009-04-07 05:46 139670 ----a-w c:\windows\hpoins15.dat
2009-04-07 06:17 . 2007-09-21 12:46 1039 ------w c:\windows\hpomdl15.dat
2009-04-07 05:47 . 2009-04-07 05:47 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-04-07 05:44 . 2009-04-07 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-07 05:41 . 2009-04-07 05:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\program files\Common Files\HP
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Hewlett-Packard
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Common Files\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 23:14 . 2006-03-16 01:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 08:09 . 2009-05-02 08:10 2107904 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-05-02 07:38 . 2009-02-28 08:39 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-30 04:22 . 2009-02-27 12:52 -------- d-----w c:\program files\Trend Micro
2009-04-28 19:41 . 2009-04-28 19:43 2046976 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-28 05:31 . 2009-02-28 08:31 -------- d-----w c:\program files\SpywareBlaster
2009-04-28 04:42 . 2009-04-07 20:58 2102165 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-24 06:49 . 2009-04-24 06:51 2043392 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-21 21:07 . 2009-03-05 09:36 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-21 21:06 . 2009-02-28 08:39 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-02 04:08 . 2009-04-03 20:12 2487808 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-02 04:07 . 2009-02-27 14:09 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-02 03:00 . 2009-03-02 17:37 -------- d-----w c:\program files\eclipse
2009-04-02 01:43 . 2006-03-16 03:45 -------- d-----w c:\program files\Java
2009-03-28 06:00 . 2009-03-28 06:00 -------- d-----w c:\program files\Any Video Converter
2009-03-24 07:52 . 2009-03-12 07:04 -------- d-----w c:\program files\Aspell
2009-03-19 09:04 . 2009-03-06 19:58 -------- d-----w c:\program files\EPSON
2009-03-15 06:33 . 2009-03-15 06:32 -------- d-----w c:\program files\iTunes
2009-03-15 06:32 . 2009-03-15 06:32 -------- d-----w c:\program files\iPod
2009-03-15 06:32 . 2009-03-15 06:28 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 06:31 . 2009-03-15 06:31 -------- d-----w c:\program files\Bonjour
2009-03-15 06:31 . 2009-03-15 06:30 -------- d-----w c:\program files\QuickTime
2009-03-15 06:29 . 2009-03-15 06:29 -------- d-----w c:\program files\Apple Software Update
2009-03-13 09:07 . 2009-03-10 09:16 -------- d-----w c:\program files\Vidalia Bundle
2009-03-12 17:43 . 2009-03-12 17:45 1676800 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-12 03:59 . 2009-02-28 08:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 23:09 . 2009-03-11 23:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-11 23:08 . 2009-03-11 23:07 -------- d-----w c:\program files\LeapFrog
2009-03-10 23:43 . 2009-02-27 13:04 -------- d-----w c:\program files\Quicken
2009-03-10 19:29 . 2009-02-28 08:45 -------- d-----w c:\program files\uTorrent
2009-03-09 11:19 . 2009-03-02 17:11 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 00:40 . 2009-02-27 13:13 -------- d-----w c:\program files\Opera
2009-03-07 05:38 . 2009-03-05 10:57 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-06 20:14 . 2009-03-06 19:48 -------- d-----w c:\program files\OverDrive Media Console
2009-03-06 14:22 . 2006-03-15 23:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 10:54 . 2006-03-16 03:46 -------- d-----w c:\program files\Windows Media Connect
2009-03-05 10:36 . 2009-03-05 10:36 137 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2009-03-05 10:35 . 2009-03-01 08:20 126 ----a-w c:\documents and settings\mom\Local Settings\Application Data\fusioncache.dat
2009-02-28 08:47 . 2009-02-28 08:47 0 ----a-w c:\windows\nsreg.dat
2009-02-28 08:27 . 2006-03-16 20:29 42032 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-27 14:07 . 2006-03-16 01:14 86811 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-27 13:25 . 2009-02-27 13:25 4 ----a-w c:\windows\Pix11.dat
2009-02-16 06:10 . 2009-02-27 14:09 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2006-03-15 23:55 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-03-15 23:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-03-15 23:55 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-03-15 23:55 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-03-15 23:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-03-15 23:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-03-15 23:55 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-03-15 23:56 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-03-15 23:56 56832 ----a-w c:\windows\system32\secur32.dll
2009-03-06 19:27 . 2009-02-28 08:46 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-06 19:27 . 2009-02-28 08:46 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-06 19:27 . 2009-02-28 08:46 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-06 19:27 . 2009-02-28 08:46 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-06 19:27 . 2009-02-28 08:46 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2005-06-13 258048]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-17 407632]
"EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-21 516440]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-02-05 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5800F Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"EPSON Stylus CX5800F Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-10-11 1724416]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vidalia Bundle\\Tor\\tor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-21 953168]
R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-21 64160]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2009-02-05 991232]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2005-12-27 29184]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-22 226304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a30e6c60-056f-11de-9f6c-0013a908f4a4}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 21:05]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dojubapu.dll
SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://metroconnect.mscd.edu/cp/home/loginf
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Morgaine\Application Data\Mozilla\Firefox\Profiles\i0ulny20.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 17:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthyegspyprqlxhyudjwmatnbbniqjivecm.sys 83968 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthfkotbnimvw.tmp 133632 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthqbftewivrc.tmp 107520 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\OVFSTHVPUXOUQDRT.TMP.0.AVB 343040 bytes executable
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthx000 0 bytes
c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll 60928 bytes executable
c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll 18944 bytes executable
c:\windows\system32\ovfsthewopwgesawderjlvwhpkrexugelatvtc.dat 45483 bytes
c:\windows\system32\ovfsthftjtakrpchvvneldrqxyexupknomnlty.dll 18432 bytes executable
c:\windows\system32\ovfsthppurmdnjirlahkdmmixewbafklllcrht.dat 43 bytes

scan completed successfully
hidden files: 10

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1208)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(864)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\MICROS~4\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehSched.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRPC.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-02 17:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 23:21

Pre-Run: 43,338,698,752 bytes free
Post-Run: 43,325,714,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

296 --- E O F --- 2009-05-02 23:19

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 02 May 2009 - 09:12 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
c:\windows\system32\drivers\ovfsthyegspyprqlxhyudjwmatnbbniqjivecm.sys
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthfkotbnimvw.tmp 133632
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthqbftewivrc.tmp 107520
c:\docume~1\Morgaine\LOCALS~1\Temp\OVFSTHVPUXOUQDRT.TMP.0.AVB
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthx000
c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll
c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll
c:\windows\system32\ovfsthewopwgesawderjlvwhpkrexugelatvtc.dat
c:\windows\system32\ovfsthftjtakrpchvvneldrqxyexupknomnlty.dll
c:\windows\system32\ovfsthppurmdnjirlahkdmmixewbafklllcrht.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 ein

ein
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 02 May 2009 - 09:44 PM

ComboFix
ComboFix 09-05-02.4 - Morgaine 05/02/2009 20:29.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1532 [GMT -6:00]
Running from: c:\documents and settings\Morgaine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Morgaine\Desktop\CFScript.txt
AV: eTrust ITM *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Morgaine\LOCALS~1\Temp\OVFSTHVPUXOUQDRT.TMP.0.AVB
c:\docume~1\Morgaine\LOCALS~1\Temp\ovfsthx000
c:\windows\system32\drivers\ovfsthyegspyprqlxhyudjwmatnbbniqjivecm.sys
c:\windows\system32\ovfsthdmjbglxepmhhakgjcxrqperrvdfiqqsc.dll
c:\windows\system32\ovfsthdoclvcqvymxgadasycsvlrhrxbpnkryk.dll
c:\windows\system32\ovfsthewopwgesawderjlvwhpkrexugelatvtc.dat
c:\windows\system32\ovfsthftjtakrpchvvneldrqxyexupknomnlty.dll
c:\windows\system32\ovfsthppurmdnjirlahkdmmixewbafklllcrht.dat

.
((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\documents and settings\Morgaine\Application Data\WinPatrol
2009-05-02 03:43 . 2009-05-02 03:43 -------- d-----w c:\program files\BillP Studios
2009-04-29 09:18 . 2009-04-29 09:18 -------- d-----w c:\documents and settings\All Users\Application Data\CA
2009-04-16 02:48 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:48 . 2009-02-06 10:39 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-16 02:48 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:48 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 02:48 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:48 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:48 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:48 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 02:48 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:48 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-07 20:57 . 2009-04-07 20:57 -------- d-----w c:\documents and settings\Morgaine\Application Data\HP
2009-04-07 06:22 . 2009-04-07 06:22 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-07 06:21 . 2007-03-28 20:01 118272 ----a-w c:\windows\system32\hpz3l5ha.dll
2009-04-07 06:20 . 2007-03-08 19:20 21568 ----a-w c:\windows\system32\drivers\HPZius12.sys
2009-04-07 06:20 . 2007-03-08 19:20 16496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
2009-04-07 06:20 . 2007-03-08 19:20 49920 ----a-w c:\windows\system32\drivers\HPZid412.sys
2009-04-07 06:20 . 2007-03-31 05:29 267864 ----a-w c:\windows\system32\hpzids01.dll
2009-04-07 06:20 . 2007-03-17 20:39 958464 ----a-w c:\windows\system32\hpotiop4.dll
2009-04-07 06:20 . 2007-03-17 20:39 303104 ----a-w c:\windows\system32\hpovst11.dll
2009-04-07 06:20 . 2007-03-08 19:20 364544 ----a-w c:\windows\system32\hppldcoi.dll
2009-04-07 06:20 . 2007-03-08 19:20 309760 ----a-w c:\windows\system32\difxapi.dll
2009-04-07 06:20 . 2007-03-17 20:39 675840 ----a-w c:\windows\system32\hpowiax4.dll
2009-04-07 06:20 . 2009-04-07 05:44 -------- d-----w c:\program files\HP
2009-04-07 06:17 . 2009-04-07 05:46 139670 ----a-w c:\windows\hpoins15.dat
2009-04-07 06:17 . 2007-09-21 12:46 1039 ------w c:\windows\hpomdl15.dat
2009-04-07 05:47 . 2009-04-07 05:47 -------- d-----w c:\documents and settings\All Users\Application Data\WEBREG
2009-04-07 05:44 . 2009-04-07 05:44 -------- d-----w c:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-04-07 05:41 . 2009-04-07 05:42 -------- d-----w c:\documents and settings\All Users\Application Data\HP
2009-04-07 05:41 . 2009-04-07 05:41 -------- d-----w c:\program files\Common Files\HP
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Hewlett-Packard
2009-04-07 05:40 . 2009-04-07 05:40 -------- d-----w c:\program files\Common Files\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 02:33 . 2006-03-16 01:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-02 23:44 . 2009-02-28 08:34 -------- d-----w c:\program files\Lavasoft
2009-05-02 23:42 . 2009-02-28 08:22 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-02 08:09 . 2009-05-02 08:10 2107904 ----a-w c:\windows\Internet Logs\xDB5.tmp
2009-05-02 07:38 . 2009-02-28 08:39 472 ----a-w c:\windows\Tasks\Ad-Aware Update (Weekly).job
2009-04-30 04:22 . 2009-02-27 12:52 -------- d-----w c:\program files\Trend Micro
2009-04-28 19:41 . 2009-04-28 19:43 2046976 ----a-w c:\windows\Internet Logs\xDB4.tmp
2009-04-28 04:42 . 2009-04-07 20:58 2102165 ----a-w c:\windows\Internet Logs\tvDebug.Zip
2009-04-24 06:49 . 2009-04-24 06:51 2043392 ----a-w c:\windows\Internet Logs\xDB3.tmp
2009-04-02 04:08 . 2009-04-03 20:12 2487808 ----a-w c:\windows\Internet Logs\xDB2.tmp
2009-04-02 04:07 . 2009-02-27 14:09 4212 ---ha-w c:\windows\system32\zllictbl.dat
2009-04-02 03:00 . 2009-03-02 17:37 -------- d-----w c:\program files\eclipse
2009-04-02 01:43 . 2006-03-16 03:45 -------- d-----w c:\program files\Java
2009-03-28 06:00 . 2009-03-28 06:00 -------- d-----w c:\program files\Any Video Converter
2009-03-24 07:52 . 2009-03-12 07:04 -------- d-----w c:\program files\Aspell
2009-03-19 09:04 . 2009-03-06 19:58 -------- d-----w c:\program files\EPSON
2009-03-15 06:33 . 2009-03-15 06:32 -------- d-----w c:\program files\iTunes
2009-03-15 06:32 . 2009-03-15 06:32 -------- d-----w c:\program files\iPod
2009-03-15 06:32 . 2009-03-15 06:28 -------- d-----w c:\program files\Common Files\Apple
2009-03-15 06:31 . 2009-03-15 06:31 -------- d-----w c:\program files\Bonjour
2009-03-15 06:31 . 2009-03-15 06:30 -------- d-----w c:\program files\QuickTime
2009-03-15 06:29 . 2009-03-15 06:29 -------- d-----w c:\program files\Apple Software Update
2009-03-12 17:43 . 2009-03-12 17:45 1676800 ----a-w c:\windows\Internet Logs\xDB1.tmp
2009-03-11 23:09 . 2009-03-11 23:08 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-11 23:08 . 2009-03-11 23:07 -------- d-----w c:\program files\LeapFrog
2009-03-10 23:43 . 2009-02-27 13:04 -------- d-----w c:\program files\Quicken
2009-03-10 19:29 . 2009-02-28 08:45 -------- d-----w c:\program files\uTorrent
2009-03-09 11:19 . 2009-03-02 17:11 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-09 00:40 . 2009-02-27 13:13 -------- d-----w c:\program files\Opera
2009-03-07 05:38 . 2009-03-05 10:57 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-06 20:14 . 2009-03-06 19:48 -------- d-----w c:\program files\OverDrive Media Console
2009-03-06 14:22 . 2006-03-15 23:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 10:54 . 2006-03-16 03:46 -------- d-----w c:\program files\Windows Media Connect
2009-03-05 10:36 . 2009-03-05 10:36 137 ----a-w c:\documents and settings\NetworkService\Local Settings\Application Data\fusioncache.dat
2009-03-05 10:35 . 2009-03-01 08:20 126 ----a-w c:\documents and settings\mom\Local Settings\Application Data\fusioncache.dat
2009-02-28 08:47 . 2009-02-28 08:47 0 ----a-w c:\windows\nsreg.dat
2009-02-28 08:27 . 2006-03-16 20:29 42032 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-27 14:07 . 2006-03-16 01:14 86811 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-02-27 13:25 . 2009-02-27 13:25 4 ----a-w c:\windows\Pix11.dat
2009-02-16 06:10 . 2009-02-27 14:09 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-09 12:10 . 2006-03-15 23:55 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-03-15 23:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-03-15 23:55 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-03-15 23:55 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-03-15 23:56 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-03-15 23:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-03-15 23:55 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-03-15 23:56 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-03-15 23:56 56832 ----a-w c:\windows\system32\secur32.dll
2009-03-06 19:27 . 2009-02-28 08:46 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-06 19:27 . 2009-02-28 08:46 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-06 19:27 . 2009-02-28 08:46 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-06 19:27 . 2009-02-28 08:46 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-06 19:27 . 2009-02-28 08:46 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-02_23.15.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-03 02:33 . 2009-05-03 02:33 16384 c:\windows\Temp\Perflib_Perfdata_9c8.dat
+ 2009-05-03 02:33 . 2009-05-03 02:33 16384 c:\windows\Temp\Perflib_Perfdata_98c.dat
+ 2006-03-16 01:19 . 2009-05-03 02:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-16 01:19 . 2009-05-03 02:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-03-16 01:19 . 2009-05-03 02:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-03-16 01:19 . 2009-05-02 23:14 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-12-14 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-07 7557120]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"VAIOSurvey"="c:\program files\sony\vaio survey\surveysa.exe" [2005-06-13 258048]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2007-01-17 407632]
"EPSON Stylus CX5800F Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-02-05 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-04-20 337216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5800F Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]
"EPSON Stylus CX5800F Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2006-12-20 177664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-10-11 1724416]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd; [x]
R3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE [2002-12-18 311872]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2009-02-05 991232]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe [2002-12-18 7520337]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2005-12-27 29184]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-22 226304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a30e6c60-056f-11de-9f6c-0013a908f4a4}]
\Shell\AutoRun\command - "E:\Install FreeAgent Tools.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://metroconnect.mscd.edu/cp/home/loginf
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
FF - ProfilePath - c:\documents and settings\Morgaine\Application Data\Mozilla\Firefox\Profiles\i0ulny20.default\
FF - prefs.js: browser.startup.homepage - msn.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 20:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'explorer.exe'(524)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehSched.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRPC.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-03 20:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-03 02:38
ComboFix2.txt 2009-05-02 23:55
ComboFix3.txt 2009-05-02 23:31
ComboFix4.txt 2009-05-02 23:21

Pre-Run: 43,586,347,008 bytes free
Post-Run: 43,575,500,800 bytes free

275 --- E O F --- 2009-05-02 23:19


HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:28 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://metroconnect.mscd.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [VAIOSurvey] c:\program files\sony\vaio survey\surveysa.exe
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus CX5800F Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S4EC.tmp" /EF "HKCU" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [EPSON Stylus CX5800F Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S4EF.tmp" /EF "HKCU" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus CX5800F Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /FU "C:\WINDOWS\TEMP\E_S4EC.tmp" /EF "HKCU" (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LeapFrog Connect Device Service - Unknown owner - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 12024 bytes

Attached Files



#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 03 May 2009 - 02:28 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 ein

ein
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 04 May 2009 - 11:29 PM

My computer is running much better. The random number .exe's have stopping trying to get through zone alarm and my explorer.exe is shutting down less frequently, although I'm still getting redirected to strange sites when I click on links from google and the like. One of my main concerns though is my external hard drive. I have been keeping it quarantined from my computer because I didn't want to infect it; but... I think it already is. Should I repeat the steps that you have shown me here to clean it? All of my backup's and the majority of my pictures and files are on there. I reformatted my computer recently and never got around to restoring it completely......


And one other thing I had to shut down my computer while the first ESET scanner was running because explorer.exe shut down while I needed my comp for finals work. The first scan it was up to 7 problems found but the second (the log below) no errors were found. I don't know if this makes a difference.

mbam
Malwarebytes' Anti-Malware 1.36
Database version: 2069
Windows 5.1.2600 Service Pack 3

5/3/2009 3:54:38 AM
mbam-log-2009-05-03 (03-54-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 183896
Time elapsed: 55 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Morgaine\protect.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\autochk.dll.vir (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gereviba.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

ESET
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4050 (20090503)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=e1dfdb04a05aa24693b796bad4931de1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-04 11:10:22
# local_time=2009-05-04 05:10:22 (-0700, Mountain Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=943599
# found=0
# scan_time=15189

Attached Files



#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 05 May 2009 - 06:44 AM

Should I repeat the steps that you have shown me here to clean it?


No.. When you plug in the external drives, just scan it with your antivirus and malwarebytes..


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 ein

ein
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 12 May 2009 - 02:36 AM

GooredFix v1.92 by jpshortstuff
Log created at 01:35 on 12/05/2009 running Option #1 (Morgaine)
Firefox version 2.0.0.20 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{06F98623-58FD-4CB6-AF12-1E01D0060F22}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Attached Files



#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 12 May 2009 - 05:14 AM

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).


How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 17 May 2009 - 11:23 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users