Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown infection


  • This topic is locked This topic is locked
35 replies to this topic

#1 Tamz411

Tamz411

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 21 May 2010 - 07:39 PM

Hey all, I have a suspicion that I am being hacked when about 2 weeks ago I was trying to download a file from megaupload and it said I was already downloading an .avi file from my IP when I was not. In addition, I made sure all my desktops were off at the time. After turning off the wifi on my laptop and reconnecting, the megaupload problem disappeared. I have recently reformatted my laptop and changed the password for my wifi connection in hopes of fixing the problem but it still happens from time to time making me suspect that I am being hacked still. I have run Spybot and it has not found anything aside from tracking cookies which I have deleted. Any help would be kindly appreciated. Thank you! Attached below are the DDS, Attach.txt and the Ark logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Henry at 19:47:56.83 on 21/05/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2038.589 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\system32\wuauclt.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\conime.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Henry\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Henry\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sony.com/vaiopeople
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\henry\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [VAIO Center Access Bar] "c:\program files\sony\vaio center access bar\VCAB.exe" 1
mRun: [VWLASU] "c:\program files\sony\vaio pc wireless lan wizard\AutoLaunchWLASU.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Skytel] Skytel.exe
StartupFolder: c:\users\henry\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\aolddi~1.lnk - c:\ddi\AOLICON.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2010-5-18 200704]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-8-26 812544]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-21 1153368]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-5-18 16472]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2010-5-18 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2010-5-18 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2010-5-18 1089536]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2007-8-26 292152]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2007-8-26 79736]

=============== Created Last 30 ================

2010-05-21 23:29:37 0 d-----w- c:\program files\Trend Micro
2010-05-21 23:18:48 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-21 23:18:48 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 17:38:51 0 d-----w- c:\program files\Foxit Software
2010-05-21 16:49:18 0 d-----w- c:\windows\system32\vi-VN
2010-05-21 16:49:18 0 d-----w- c:\windows\system32\eu-ES
2010-05-21 16:49:18 0 d-----w- c:\windows\system32\ca-ES
2010-05-20 14:14:31 0 d-----w- c:\windows\system32\EventProviders
2010-05-20 06:56:59 679936 ----a-w- c:\windows\system32\msvcrt.dll
2010-05-20 06:55:59 70656 ----a-w- c:\windows\system32\iashlpr.dll
2010-05-20 06:54:59 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2010-05-20 06:53:48 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-05-20 06:39:11 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-05-20 06:39:04 11967524 ----a-w- c:\windows\system32\korwbrkr.lex
2010-05-20 06:19:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-05-20 06:18:49 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 04:09:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-20 02:26:23 0 d-----w- C:\PerfLogs
2010-05-19 19:15:58 215552 ----a-w- c:\windows\system32\winrsmgr.dll
2010-05-19 19:14:57 75776 ----a-w- c:\windows\system32\synceng.dll
2010-05-19 19:13:59 46080 ----a-w- c:\windows\system32\NAPCRYPT.DLL
2010-05-19 19:12:59 55296 ----a-w- c:\windows\system32\WUDFSvc.dll
2010-05-19 19:11:59 47104 ----a-w- c:\windows\system32\drivers\lltdio.sys
2010-05-19 19:10:28 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-05-19 19:10:27 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-05-19 19:10:22 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-05-19 19:10:22 129536 ----a-w- c:\windows\system32\sqmapi.dll
2010-05-19 19:10:01 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-05-19 19:10:01 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-05-19 19:10:01 258560 ----a-w- c:\windows\system32\dpx.dll
2010-05-19 17:02:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-05-19 15:05:01 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-05-19 14:39:35 0 d-----w- C:\Intel
2010-05-19 05:34:10 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-05-19 05:34:09 270848 ----a-w- c:\windows\system32\schannel.dll
2010-05-19 05:32:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-05-19 05:32:57 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-05-19 05:32:57 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-05-19 05:32:57 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-05-19 05:32:56 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-05-19 05:32:56 471552 ----a-w- c:\windows\system32\secproc.dll
2010-05-19 05:32:56 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-05-19 05:32:55 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-05-19 05:32:55 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-05-19 04:49:16 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-05-19 04:49:16 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-19 04:49:16 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-19 04:49:16 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-19 04:49:16 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-19 04:49:16 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-19 04:49:14 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-19 04:49:14 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-19 04:49:14 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-05-19 04:49:14 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-19 03:58:59 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-19 03:58:59 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-19 03:58:59 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-19 03:58:58 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-19 03:58:58 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-19 03:58:58 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-19 03:57:20 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-05-19 03:57:20 272896 ----a-w- c:\windows\system32\polstore.dll
2010-05-19 03:55:40 1820 ----a-w- c:\windows\system32\rasctrnm.h
2010-05-19 03:54:04 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-19 03:54:03 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-19 03:48:15 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-19 03:48:15 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-19 03:48:14 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-19 03:48:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-19 03:48:14 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-19 03:48:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-19 03:48:14 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-19 03:48:14 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-19 03:48:14 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-19 03:42:26 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-19 03:42:25 2501921 ----a-w- c:\windows\system32\wlan.tmf
2010-05-19 03:42:24 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-05-19 03:42:24 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-19 03:42:24 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-19 03:42:24 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-19 03:42:23 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-19 03:42:21 2334 ----a-w- c:\windows\system32\wbem\L2SecHC.mof
2010-05-19 03:42:20 12880 ----a-w- c:\windows\system32\wbem\wlan.mof
2010-05-19 03:42:18 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-05-19 03:40:32 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-19 03:40:30 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-19 03:40:29 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-05-19 03:40:27 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-05-19 03:38:36 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-05-19 03:38:35 9728 ----a-w- c:\windows\system32\lsass.exe
2010-05-19 03:38:35 72704 ----a-w- c:\windows\system32\secur32.dll
2010-05-19 03:38:35 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-05-19 03:38:35 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-19 03:38:35 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-19 03:38:32 13780 ----a-w- c:\windows\system32\wbem\lsasrv.mof
2010-05-19 03:36:47 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-19 03:36:47 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-19 03:36:46 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-19 03:34:00 98816 ----a-w- c:\windows\system32\mfps.dll
2010-05-19 03:34:00 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-05-19 03:34:00 2868224 ----a-w- c:\windows\system32\mf.dll
2010-05-19 03:34:00 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-05-19 03:34:00 2048 ----a-w- c:\windows\system32\mferror.dll
2010-05-19 03:32:09 3600776 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-19 03:32:09 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-05-19 03:25:39 71680 ----a-w- c:\windows\system32\atl.dll
2010-05-19 03:17:43 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-05-19 03:13:48 136192 ----a-w- c:\windows\system32\aaclient.dll
2010-05-19 03:13:47 53248 ----a-w- c:\windows\system32\tsgqec.dll
2010-05-19 03:13:47 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-05-19 03:08:17 714240 ----a-w- c:\windows\system32\timedate.cpl
2010-05-19 02:58:21 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2010-05-19 02:54:41 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-05-19 02:53:35 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-19 02:51:55 623616 ----a-w- c:\windows\system32\localspl.dll
2010-05-19 02:43:05 0 d-----w- c:\program files\Real Alternative
2010-05-19 02:37:05 1808896 ----a-w- c:\windows\system32\NlsLexicons0046.dll
2010-05-19 02:37:05 1793536 ----a-w- c:\windows\system32\NlsLexicons0045.dll
2010-05-19 02:37:04 1411072 ----a-w- c:\windows\system32\NlsLexicons0047.dll
2010-05-19 02:37:03 1558016 ----a-w- c:\windows\system32\NlsLexicons0049.dll
2010-05-19 02:37:02 2136064 ----a-w- c:\windows\system32\NlsLexicons0021.dll
2010-05-19 02:37:02 1782272 ----a-w- c:\windows\system32\NlsLexicons0039.dll
2010-05-19 02:37:02 1236992 ----a-w- c:\windows\system32\NlsLexicons0020.dll
2010-05-19 02:37:01 5499904 ----a-w- c:\windows\system32\NlsLexicons0022.dll
2010-05-19 02:37:00 7964672 ----a-w- c:\windows\system32\NlsLexicons0024.dll
2010-05-19 02:37:00 5791232 ----a-w- c:\windows\system32\NlsLexicons0026.dll
2010-05-19 02:35:24 0 d-----w- c:\program files\DivX
2010-05-19 02:35:24 0 d-----w- c:\program files\common files\DivX Shared
2010-05-19 02:34:40 0 d-----w- c:\programdata\Sun
2010-05-19 02:34:04 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-19 02:29:13 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-05-19 02:24:21 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-05-19 02:24:21 220672 ----a-w- c:\windows\system32\l3codecp.acm
2010-05-19 02:21:37 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-19 02:21:36 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-05-19 02:21:36 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-19 02:21:36 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-19 02:21:35 814 ----a-w- c:\windows\system32\wbem\WFP.MOF
2010-05-19 02:21:35 15360 ----a-w- c:\windows\system32\drivers\TUNMP.SYS
2010-05-19 02:13:13 37888 ----a-w- c:\windows\system32\printcom.dll
2010-05-19 02:12:17 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-05-19 02:10:04 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-05-19 02:08:41 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-05-19 02:08:41 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-05-19 02:08:41 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-05-19 01:40:28 65536 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.dpx
2010-05-19 01:40:28 327680 ----a-w- c:\windows\ocsetup_cbs_install_NetFx3.perf
2010-05-19 01:40:27 34209792 ----a-w- c:\windows\ocsetup_install_NetFx3.etl
2010-05-19 01:36:37 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-19 01:17:06 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-19 01:17:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-19 01:17:02 1696768 ----a-w- c:\windows\system32\gameux.dll
2010-05-19 01:15:09 84480 ----a-w- c:\windows\system32\INETRES.dll
2010-05-19 01:14:37 60928 ----a-w- c:\windows\system32\msasn1.dll
2010-05-19 01:13:33 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-05-19 01:12:25 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-05-19 01:12:25 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-05-19 01:12:25 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-05-19 01:10:18 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-05-19 01:09:16 243712 ----a-w- c:\windows\system32\rastls.dll
2010-05-19 01:08:41 355328 ----a-w- c:\windows\system32\WSDApi.dll
2010-05-19 01:05:33 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-05-19 01:04:43 310784 ----a-w- c:\windows\system32\unregmp2.exe
2010-05-19 01:04:37 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-19 01:04:36 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-05-19 01:04:35 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-05-19 01:04:35 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-05-19 01:01:37 0 d-----w- c:\program files\PeerBlock
2010-05-19 00:22:44 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-05-19 00:19:14 0 d-----w- c:\programdata\Logishrd
2010-05-19 00:15:55 0 d-----w- c:\users\henry\appdata\roaming\Logishrd
2010-05-18 23:06:04 0 d-----w- c:\program files\Microsoft Security Essentials
2010-05-18 22:49:31 0 d-----w- c:\users\henry\Tracing
2010-05-18 22:47:23 0 d-----w- c:\program files\Microsoft
2010-05-18 22:46:40 0 d-----w- c:\program files\Windows Live SkyDrive
2010-05-18 22:45:36 0 d-----w- c:\windows\PCHEALTH
2010-05-18 22:39:41 0 d-----w- c:\program files\common files\Windows Live
2010-05-18 22:20:09 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 22:05:32 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-18 22:05:03 0 d-----w- c:\program files\DAEMON Tools Lite
2010-05-18 22:04:39 0 d-----w- c:\users\henry\appdata\roaming\DAEMON Tools Lite
2010-05-18 22:04:36 0 d-----w- c:\programdata\DAEMON Tools Lite
2010-05-18 22:02:07 0 d-----w- c:\program files\uTorrent
2010-05-18 22:01:46 0 d-----w- c:\users\henry\appdata\roaming\uTorrent
2010-05-18 22:01:30 0 d-----w- c:\program files\Symantec
2010-05-18 22:01:13 0 d-----w- c:\program files\common files\Symantec Shared
2010-05-18 21:59:30 0 d-----w- c:\program files\The KMPlayer
2010-05-18 21:55:36 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-05-18 21:43:03 0 d-----w- c:\programdata\VAIO Media Platform
2010-05-18 21:40:01 2981888 ----a-w- c:\windows\system32\iplw7.dll
2010-05-18 21:40:01 2785280 ----a-w- c:\windows\system32\iplm6.dll
2010-05-18 21:40:01 2686976 ----a-w- c:\windows\system32\iplm5.dll
2010-05-18 21:40:01 2531328 ----a-w- c:\windows\system32\iplp6.dll
2010-05-18 21:40:01 2502656 ----a-w- c:\windows\system32\iplpx.dll
2010-05-18 21:40:00 53248 ----a-w- c:\windows\system32\ipl.dll
2010-05-18 21:40:00 2973696 ----a-w- c:\windows\system32\ipla6.dll
2010-05-18 21:40:00 19968 ----a-w- c:\windows\system32\Cpuinf32.dll
2010-05-18 21:35:51 0 d-----w- c:\windows\system32\Spiderman 3 dir
2010-05-18 21:29:18 0 d-----w- c:\programdata\Sonic
2010-05-18 21:25:26 0 ---ha-r- c:\windows\system32\drivers\Sony_VGN-NR110E.mrk
2010-05-18 21:23:13 1132112 ----a-w- c:\programdata\pswi_preloaded.exe
2010-05-18 21:21:28 0 d-----w- c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2010-05-18 21:21:20 0 d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2010-05-18 21:20:41 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-05-18 21:17:52 0 d-----w- c:\programdata\Microsoft Help
2010-05-18 21:05:36 0 d-----w- c:\windows\Downloaded Installations
2010-05-18 21:03:27 0 d-----w- c:\windows\Intuit
2010-05-18 21:03:10 0 d-----w- c:\program files\Sony Picture Games
2010-05-18 20:56:42 0 d-----w- c:\programdata\FLEXnet
2010-05-18 20:55:36 28248 ----a-r- c:\windows\system32\AdobePDF.dll
2010-05-18 20:50:48 1933312 ----a-w- c:\windows\system32\cdintf251.dll
2010-05-18 20:49:09 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-18 20:48:33 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-18 20:48:31 0 d-----w- c:\program files\Intuit
2010-05-18 20:48:31 0 d-----w- c:\program files\common files\Intuit
2010-05-18 20:48:15 0 d-----w- c:\programdata\COMMON FILES
2010-05-18 20:46:05 0 d-----w- c:\windows\system32\URTTEMP
2010-05-18 20:44:25 0 d-----w- c:\program files\common files\AOL
2010-05-18 20:44:22 344 ---ha-w- C:\IPH.PH
2010-05-18 20:44:05 0 d-----w- c:\program files\Online Services
2010-05-18 20:25:09 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-05-18 20:17:41 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-05-18 20:17:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-05-18 20:17:12 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-05-18 19:45:32 0 d-sh--we c:\programdata\Documents
2010-05-18 19:45:32 0 d-sh--we C:\Documents and Settings

==================== Find3M ====================

2010-05-21 16:55:51 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-21 16:55:51 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-21 16:55:51 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-21 16:49:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-21 16:36:14 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-20 02:41:02 174 --sha-w- c:\program files\desktop.ini
2010-05-20 02:04:09 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-20 02:04:05 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-19 02:37:00 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2010-05-19 01:01:54 16710176 ----a-w- c:\windows\fonts\meiryo.ttc
2010-05-19 01:01:48 17159388 ----a-w- c:\windows\fonts\meiryob.ttc
2010-04-17 02:12:18 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-08-26 21:25:27 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 19:55:06.32 ===============

Attached Files


Edited by Tamz411, 21 May 2010 - 07:39 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 24 May 2010 - 04:54 AM

Hi Tamz411,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


I don't see any malware and I'm afraid hacking will not show on that type of log. Let's make sure of that.
  1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    JaJava™ SE Runtime Environment 6

  2. Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#3 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 24 May 2010 - 01:02 PM

Hey farbar, thanks for assisting me with my problem. I have done as you have instructed and uninstalled Java SE Environment 6 and have also installed and run MBAM. After running MBAM, 2 objects were deemed infected and after disinfection, the resulting log was created.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4139

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

24/05/2010 1:55:22 PM
mbam-log-2010-05-24 (13-55-22).txt

Scan type: Quick scan
Objects scanned: 119536
Time elapsed: 10 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\{fa8edcdd-efa2-477b-b00a-7f28f02cd37e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Once again, thank you for helping me with this problem.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 24 May 2010 - 01:09 PM

Tell me if apart from that incident you have observed any suspicious activity.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push



#5 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 24 May 2010 - 04:34 PM

Farbar, I have completed a scan with the ESET online scanner and it has not found any threats. Aside from the downloading from megaupload problem I have not noticed any other suspicious activity. I have changed the password for my wireless network and have even reformatted my laptop as I have mentioned before but the problem is still there.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 24 May 2010 - 06:02 PM

We are going to dig deeper and at the same time keep an eye on this computer for a while. Pleas from now on tell me in detail if you observed any suspicious activity.
  1. You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    1. First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup
      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
    2. Then download ResetTeaTimer.exe to your desktop.
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.

  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 24 May 2010 - 07:35 PM

Hey farbar, I have run ComboFix as directed and the following log was produced.

ComboFix 10-05-24.03 - Henry 24/05/2010 20:03:37.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2038.1211 [GMT -4:00]
Running from: c:\users\Henry\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\pswi_preloaded.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-24 17:43 . 2010-05-24 17:43 -------- d-----w- c:\users\Henry\AppData\Roaming\Malwarebytes
2010-05-24 17:43 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 17:43 . 2010-05-24 17:43 -------- d-----w- c:\programdata\Malwarebytes
2010-05-24 17:43 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 17:43 . 2010-05-24 17:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 20:11 . 2010-05-23 20:12 -------- d-----w- c:\users\Henry\AppData\Roaming\Media Player Classic
2010-05-23 20:08 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-23 20:08 . 2010-05-23 20:08 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-05-22 00:43 . 2010-05-22 00:43 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-21 23:29 . 2010-05-21 23:29 -------- d-----w- c:\program files\Trend Micro
2010-05-21 23:18 . 2010-05-22 00:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 23:18 . 2010-05-22 00:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-21 17:38 . 2010-05-21 17:38 -------- d-----w- c:\program files\Foxit Software
2010-05-21 17:31 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-21 17:31 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-21 17:31 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-21 17:29 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-21 17:29 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-21 17:29 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-21 17:29 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-05-21 17:29 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-05-21 17:29 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-05-21 17:29 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-05-21 17:29 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-05-21 17:29 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-05-21 17:29 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-05-21 17:29 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-05-21 17:29 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-05-21 17:27 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-21 17:27 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-21 17:27 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-21 17:24 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-21 17:24 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-21 17:24 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-21 16:49 . 2010-05-21 16:50 -------- d-----w- c:\windows\system32\ca-ES
2010-05-21 16:49 . 2010-05-21 16:50 -------- d-----w- c:\windows\system32\eu-ES
2010-05-21 16:49 . 2010-05-21 16:49 -------- d-----w- c:\windows\system32\vi-VN
2010-05-20 14:14 . 2010-05-20 14:14 -------- d-----w- c:\windows\system32\EventProviders
2010-05-20 06:56 . 2009-04-11 06:28 302592 ----a-w- c:\windows\system32\QAGENTRT.DLL
2010-05-20 06:55 . 2009-04-11 06:28 61440 ----a-w- c:\windows\system32\wscsvc.dll
2010-05-20 06:54 . 2009-04-11 06:27 21504 ----a-w- c:\windows\system32\msacm32.drv
2010-05-20 06:53 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-05-20 06:39 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-05-20 06:19 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-05-20 06:18 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 04:24 . 2010-05-20 04:25 -------- d-----w- c:\users\Henry\AppData\Local\Microsoft Games
2010-05-20 02:26 . 2010-05-20 02:26 -------- d-----w- C:\PerfLogs
2010-05-19 19:15 . 2008-01-19 07:36 215552 ----a-w- c:\windows\system32\winrsmgr.dll
2010-05-19 19:14 . 2008-01-19 07:36 75776 ----a-w- c:\windows\system32\synceng.dll
2010-05-19 19:13 . 2008-01-19 07:38 46080 ----a-w- c:\windows\system32\NAPCRYPT.DLL
2010-05-19 19:12 . 2008-01-19 07:37 55296 ----a-w- c:\windows\system32\WUDFSvc.dll
2010-05-19 19:11 . 2008-01-19 07:37 36864 ----a-w- c:\windows\system32\wshcon.dll
2010-05-19 19:10 . 2008-01-19 07:34 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-05-19 19:10 . 2008-01-19 07:36 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-05-19 19:10 . 2008-01-19 07:36 129536 ----a-w- c:\windows\system32\sqmapi.dll
2010-05-19 19:10 . 2008-01-19 07:36 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-05-19 19:10 . 2008-01-19 07:35 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-05-19 19:10 . 2008-01-19 07:34 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-05-19 19:10 . 2008-01-19 07:34 258560 ----a-w- c:\windows\system32\dpx.dll
2010-05-19 15:05 . 2010-05-19 15:05 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-05-19 14:39 . 2010-05-19 14:39 -------- d-----w- C:\Intel
2010-05-19 05:34 . 2010-05-19 05:34 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-05-19 05:34 . 2010-05-19 05:34 270848 ----a-w- c:\windows\system32\schannel.dll
2010-05-19 05:32 . 2010-05-19 05:32 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-05-19 05:32 . 2010-05-19 05:32 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-05-19 05:32 . 2010-05-19 05:32 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-05-19 05:32 . 2010-05-19 05:32 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-05-19 05:32 . 2010-05-19 05:32 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-05-19 05:32 . 2010-05-19 05:32 471552 ----a-w- c:\windows\system32\secproc.dll
2010-05-19 05:32 . 2010-05-19 05:32 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-05-19 05:32 . 2010-05-19 05:32 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-05-19 05:32 . 2010-05-19 05:32 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-05-19 04:49 . 2010-05-19 04:49 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-05-19 04:49 . 2010-05-19 04:49 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-19 04:49 . 2010-05-19 04:49 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-19 04:49 . 2010-05-19 04:49 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-19 04:49 . 2010-05-19 04:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-19 04:49 . 2010-05-19 04:49 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-19 04:49 . 2010-05-19 04:49 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-05-19 04:49 . 2010-05-19 04:49 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-19 04:49 . 2010-05-19 04:49 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-19 04:49 . 2010-05-19 04:49 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-19 03:58 . 2010-05-19 03:58 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-19 03:58 . 2010-05-19 03:58 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-19 03:58 . 2010-05-19 03:58 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-19 03:58 . 2010-05-19 03:58 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-19 03:58 . 2010-05-19 03:58 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-19 03:58 . 2010-05-19 03:58 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-19 03:57 . 2010-05-19 03:57 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-05-19 03:57 . 2010-05-19 03:57 272896 ----a-w- c:\windows\system32\polstore.dll
2010-05-19 03:54 . 2010-05-19 03:54 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-19 03:54 . 2010-05-19 03:54 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-19 03:48 . 2010-05-19 03:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-19 03:48 . 2010-05-19 03:48 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-19 03:48 . 2010-05-19 03:48 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-19 03:48 . 2010-05-19 03:48 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-19 03:48 . 2010-05-19 03:48 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-19 03:48 . 2010-05-19 03:48 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-19 03:48 . 2010-05-19 03:48 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-19 03:48 . 2010-05-19 03:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-19 03:48 . 2010-05-19 03:48 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-19 03:42 . 2010-05-19 03:42 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-19 03:42 . 2010-05-19 03:42 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-05-19 03:42 . 2010-05-19 03:42 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-19 03:42 . 2010-05-19 03:42 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-19 03:42 . 2010-05-19 03:42 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-19 03:42 . 2010-05-19 03:42 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-19 03:42 . 2010-05-19 03:42 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-05-19 03:40 . 2010-05-19 03:40 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-19 03:40 . 2010-05-19 03:40 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-19 03:40 . 2010-05-19 03:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-05-19 03:40 . 2010-05-19 03:40 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-05-19 03:38 . 2010-05-19 03:38 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-05-19 03:38 . 2010-05-19 03:38 9728 ----a-w- c:\windows\system32\lsass.exe
2010-05-19 03:38 . 2010-05-19 03:38 72704 ----a-w- c:\windows\system32\secur32.dll
2010-05-19 03:38 . 2010-05-19 03:38 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-05-19 03:38 . 2010-05-19 03:38 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-19 03:38 . 2010-05-19 03:38 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-19 03:36 . 2010-05-19 03:36 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-19 03:36 . 2010-05-19 03:36 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-19 03:36 . 2010-05-19 03:36 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-19 03:34 . 2010-05-19 03:34 98816 ----a-w- c:\windows\system32\mfps.dll
2010-05-19 03:34 . 2010-05-19 03:34 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2010-05-19 03:34 . 2010-05-19 03:34 2868224 ----a-w- c:\windows\system32\mf.dll
2010-05-19 03:34 . 2010-05-19 03:34 24576 ----a-w- c:\windows\system32\mfpmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 17:42 . 2007-08-26 21:43 -------- d-----w- c:\program files\Java
2010-05-24 17:42 . 2007-08-26 21:43 -------- d-----w- c:\program files\Common Files\Java
2010-05-22 00:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-22 00:42 . 2010-05-22 00:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-21 16:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-20 15:32 . 2007-08-26 21:38 -------- d-----w- c:\programdata\Sony Corporation
2010-05-20 04:09 . 2010-05-20 04:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-20 02:04 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-20 02:04 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-19 02:37 . 2010-05-19 02:36 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2010-05-19 01:17 . 2010-05-19 01:17 2560 ----a-w- c:\windows\AppPatch\AcRes.dll
2010-05-18 23:17 . 2010-05-18 19:53 -------- d-----w- c:\users\Henry\AppData\Roaming\Sony Corporation
2010-05-18 22:38 . 2010-05-18 21:25 0 ---ha-r- c:\windows\system32\drivers\Sony_VGN-NR110E.mrk
2010-05-18 21:53 . 2007-08-26 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 21:42 . 2007-08-26 21:26 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-05-18 21:41 . 2007-08-26 21:07 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-18 21:24 . 2007-08-26 21:26 -------- d-----w- c:\program files\Sony
2010-05-18 20:26 . 2007-08-26 21:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Templates
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Start Menu
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Favorites
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Documents
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Desktop
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2007-08-26 21:25 . 2007-08-26 21:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-08-15 16:42 303104 ------w- c:\ddi\OverIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Henry\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-25 4489216]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-08 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-12 317560]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-06-21 53248]
"VWLASU"="c:\program files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe" [2007-07-12 45056]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-03 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-26 137752]
"Skytel"="Skytel.exe" [2007-06-25 1826816]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Henry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-07-25 02:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ea,7b,58,b0,06,f9,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-18 691696]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-06-20 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-20 1089536]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2007-07-13 292152]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2007-07-06 79736]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2007-06-29 200704]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-05 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1379995223-1739261550-1418516463-1002Core.job
- c:\users\Henry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-18 21:26]

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1379995223-1739261550-1418516463-1002UA.job
- c:\users\Henry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-18 21:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-24 20:11
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1379995223-1739261550-1418516463-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*6*_*b*y*_*¨`\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-05-24 20:15:30
ComboFix-quarantined-files.txt 2010-05-25 00:15

Pre-Run: 55,009,597,952 bytes free
Post-Run: 54,737,612,288 bytes free

- - End Of File - - 2D11A913C958A590B2864698CC885F79


#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 25 May 2010 - 05:08 AM

There is nothing on the ComboFix log to worry us. thumbup2.gif

Let's do this first then we will take the next step. We are going to keep an eye on this PC until we have made sure.

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
RegNull::
[HKEY_USERS\S-1-5-21-1379995223-1739261550-1418516463-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*6*_*b*y*_*¨`\OpenWithList]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#9 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 25 May 2010 - 04:15 PM

Hey farbar, it's good to hear nothing is worrying in the combofix log! :D
Attached below is the log from Combofix run with the script.

ComboFix 10-05-24.07 - Henry 25/05/2010 17:02:00.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2038.1251 [GMT -4:00]
Running from: c:\users\Henry\Desktop\ComboFix.exe
Command switches used :: c:\users\Henry\Desktop\CFscript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-04-25 to 2010-05-25 )))))))))))))))))))))))))))))))
.

2010-05-25 21:09 . 2010-05-25 21:09 -------- d-----w- c:\users\Henry\AppData\Local\temp
2010-05-25 21:09 . 2010-05-25 21:09 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-25 21:09 . 2010-05-25 21:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-24 17:43 . 2010-05-24 17:43 -------- d-----w- c:\users\Henry\AppData\Roaming\Malwarebytes
2010-05-24 17:43 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 17:43 . 2010-05-24 17:43 -------- d-----w- c:\programdata\Malwarebytes
2010-05-24 17:43 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 17:43 . 2010-05-24 17:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 20:11 . 2010-05-23 20:12 -------- d-----w- c:\users\Henry\AppData\Roaming\Media Player Classic
2010-05-23 20:08 . 2010-03-15 09:31 165376 ----a-w- c:\windows\system32\unrar.dll
2010-05-23 20:08 . 2010-05-23 20:08 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-05-22 00:43 . 2010-05-22 00:43 -------- d-----w- c:\program files\Windows Portable Devices
2010-05-21 23:29 . 2010-05-21 23:29 -------- d-----w- c:\program files\Trend Micro
2010-05-21 23:18 . 2010-05-22 00:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-21 23:18 . 2010-05-22 00:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-21 17:38 . 2010-05-21 17:38 -------- d-----w- c:\program files\Foxit Software
2010-05-21 17:31 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-05-21 17:31 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-05-21 17:31 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-05-21 17:29 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2010-05-21 17:29 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2010-05-21 17:29 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2010-05-21 17:29 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2010-05-21 17:29 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2010-05-21 17:29 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2010-05-21 17:29 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2010-05-21 17:29 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-05-21 17:29 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-05-21 17:29 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
2010-05-21 17:29 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2010-05-21 17:29 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-05-21 17:27 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-05-21 17:27 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-05-21 17:27 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-05-21 17:24 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-05-21 17:24 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-21 17:24 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-21 16:49 . 2010-05-21 16:50 -------- d-----w- c:\windows\system32\ca-ES
2010-05-21 16:49 . 2010-05-21 16:50 -------- d-----w- c:\windows\system32\eu-ES
2010-05-21 16:49 . 2010-05-21 16:49 -------- d-----w- c:\windows\system32\vi-VN
2010-05-20 14:14 . 2010-05-20 14:14 -------- d-----w- c:\windows\system32\EventProviders
2010-05-20 06:56 . 2009-04-11 06:28 302592 ----a-w- c:\windows\system32\QAGENTRT.DLL
2010-05-20 06:55 . 2009-04-11 06:28 61440 ----a-w- c:\windows\system32\wscsvc.dll
2010-05-20 06:54 . 2009-04-11 06:27 21504 ----a-w- c:\windows\system32\msacm32.drv
2010-05-20 06:53 . 2009-04-11 06:28 247808 ----a-w- c:\windows\system32\drvstore.dll
2010-05-20 06:39 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
2010-05-20 06:19 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-05-20 06:18 . 2010-01-29 15:40 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-20 04:24 . 2010-05-20 04:25 -------- d-----w- c:\users\Henry\AppData\Local\Microsoft Games
2010-05-20 02:26 . 2010-05-20 02:26 -------- d-----w- C:\PerfLogs
2010-05-19 19:15 . 2008-01-19 07:36 215552 ----a-w- c:\windows\system32\winrsmgr.dll
2010-05-19 19:14 . 2008-01-19 07:36 75776 ----a-w- c:\windows\system32\synceng.dll
2010-05-19 19:13 . 2008-01-19 07:38 46080 ----a-w- c:\windows\system32\NAPCRYPT.DLL
2010-05-19 19:12 . 2008-01-19 07:37 55296 ----a-w- c:\windows\system32\WUDFSvc.dll
2010-05-19 19:11 . 2008-01-19 07:37 36864 ----a-w- c:\windows\system32\wshcon.dll
2010-05-19 19:10 . 2008-01-19 07:34 102400 ----a-w- c:\windows\system32\wbem\mofinstall.dll
2010-05-19 19:10 . 2008-01-19 07:36 357888 ----a-w- c:\windows\system32\wbemcomn.dll
2010-05-19 19:10 . 2008-01-19 07:36 129536 ----a-w- c:\windows\system32\sqmapi.dll
2010-05-19 19:10 . 2008-01-19 07:36 139264 ----a-w- c:\windows\system32\SmiInstaller.dll
2010-05-19 19:10 . 2008-01-19 07:35 35328 ----a-w- c:\windows\system32\mspatcha.dll
2010-05-19 19:10 . 2008-01-19 07:34 305152 ----a-w- c:\windows\system32\msdelta.dll
2010-05-19 19:10 . 2008-01-19 07:34 258560 ----a-w- c:\windows\system32\dpx.dll
2010-05-19 15:05 . 2010-05-19 15:05 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-05-19 14:39 . 2010-05-19 14:39 -------- d-----w- C:\Intel
2010-05-19 05:34 . 2010-05-19 05:34 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-05-19 05:34 . 2010-05-19 05:34 270848 ----a-w- c:\windows\system32\schannel.dll
2010-05-19 05:32 . 2010-05-19 05:32 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-05-19 05:32 . 2010-05-19 05:32 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-05-19 05:32 . 2010-05-19 05:32 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-05-19 05:32 . 2010-05-19 05:32 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-05-19 05:32 . 2010-05-19 05:32 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-05-19 05:32 . 2010-05-19 05:32 471552 ----a-w- c:\windows\system32\secproc.dll
2010-05-19 05:32 . 2010-05-19 05:32 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-05-19 05:32 . 2010-05-19 05:32 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-05-19 05:32 . 2010-05-19 05:32 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-05-19 04:49 . 2010-05-19 04:49 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-05-19 04:49 . 2010-05-19 04:49 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-19 04:49 . 2010-05-19 04:49 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-19 04:49 . 2010-05-19 04:49 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-19 04:49 . 2010-05-19 04:49 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-19 04:49 . 2010-05-19 04:49 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-19 04:49 . 2010-05-19 04:49 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-05-19 04:49 . 2010-05-19 04:49 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-19 04:49 . 2010-05-19 04:49 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-19 04:49 . 2010-05-19 04:49 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-19 03:58 . 2010-05-19 03:58 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-19 03:58 . 2010-05-19 03:58 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-19 03:58 . 2010-05-19 03:58 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-19 03:58 . 2010-05-19 03:58 23552 ----a-w- c:\windows\system32\lpk.dll
2010-05-19 03:58 . 2010-05-19 03:58 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-19 03:58 . 2010-05-19 03:58 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-19 03:57 . 2010-05-19 03:57 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-05-19 03:57 . 2010-05-19 03:57 272896 ----a-w- c:\windows\system32\polstore.dll
2010-05-19 03:54 . 2010-05-19 03:54 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-19 03:54 . 2010-05-19 03:54 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-19 03:48 . 2010-05-19 03:48 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-19 03:48 . 2010-05-19 03:48 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-19 03:48 . 2010-05-19 03:48 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-19 03:48 . 2010-05-19 03:48 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-19 03:48 . 2010-05-19 03:48 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-19 03:48 . 2010-05-19 03:48 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-19 03:48 . 2010-05-19 03:48 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-19 03:48 . 2010-05-19 03:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-19 03:48 . 2010-05-19 03:48 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-19 03:42 . 2010-05-19 03:42 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-19 03:42 . 2010-05-19 03:42 68096 ----a-w- c:\windows\system32\wlanhlp.dll
2010-05-19 03:42 . 2010-05-19 03:42 65024 ----a-w- c:\windows\system32\wlanapi.dll
2010-05-19 03:42 . 2010-05-19 03:42 513536 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-19 03:42 . 2010-05-19 03:42 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-19 03:42 . 2010-05-19 03:42 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-19 03:42 . 2010-05-19 03:42 15181 ----a-w- c:\windows\system32\gatherWirelessInfo.vbs
2010-05-19 03:40 . 2010-05-19 03:40 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-05-19 03:40 . 2010-05-19 03:40 1401856 ----a-w- c:\windows\system32\msxml6.dll
2010-05-19 03:40 . 2010-05-19 03:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-05-19 03:40 . 2010-05-19 03:40 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-05-19 03:38 . 2010-05-19 03:38 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-05-19 03:38 . 2010-05-19 03:38 9728 ----a-w- c:\windows\system32\lsass.exe
2010-05-19 03:38 . 2010-05-19 03:38 72704 ----a-w- c:\windows\system32\secur32.dll
2010-05-19 03:38 . 2010-05-19 03:38 439864 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-05-19 03:38 . 2010-05-19 03:38 218624 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-19 03:38 . 2010-05-19 03:38 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-19 03:36 . 2010-05-19 03:36 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-19 03:36 . 2010-05-19 03:36 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-19 03:36 . 2010-05-19 03:36 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-19 03:34 . 2010-05-19 03:34 98816 ----a-w- c:\windows\system32\mfps.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 17:42 . 2007-08-26 21:43 -------- d-----w- c:\program files\Java
2010-05-24 17:42 . 2007-08-26 21:43 -------- d-----w- c:\program files\Common Files\Java
2010-05-22 00:43 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-22 00:42 . 2010-05-22 00:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-21 16:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-21 16:50 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-20 15:32 . 2007-08-26 21:38 -------- d-----w- c:\programdata\Sony Corporation
2010-05-20 04:09 . 2010-05-20 04:09 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-20 02:04 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-20 02:04 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-19 02:37 . 2010-05-19 02:36 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2010-05-19 01:17 . 2010-05-19 01:17 2560 ----a-w- c:\windows\AppPatch\AcRes.dll
2010-05-18 23:17 . 2010-05-18 19:53 -------- d-----w- c:\users\Henry\AppData\Roaming\Sony Corporation
2010-05-18 22:38 . 2010-05-18 21:25 0 ---ha-r- c:\windows\system32\drivers\Sony_VGN-NR110E.mrk
2010-05-18 21:53 . 2007-08-26 21:08 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-18 21:42 . 2007-08-26 21:26 -------- d-----w- c:\program files\Common Files\Sony Shared
2010-05-18 21:41 . 2007-08-26 21:07 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-18 21:24 . 2007-08-26 21:26 -------- d-----w- c:\program files\Sony
2010-05-18 20:26 . 2007-08-26 21:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Templates
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Start Menu
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Favorites
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Documents
2010-05-18 19:45 . 2010-05-18 19:45 -------- d-sh--we c:\programdata\Desktop
2010-04-17 02:12 . 2010-04-17 02:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2007-08-26 21:25 . 2007-08-26 21:25 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-05-25_00.11.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-19 02:53 . 2010-05-19 02:53 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6002.18248_none_170a947c06d19246\tzupd.exe
+ 2010-05-19 02:53 . 2010-05-19 02:53 19456 c:\windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18464_none_150a7fae09bf1281\tzupd.exe
+ 2007-08-26 20:57 . 2010-05-25 21:00 34720 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-05-25 21:00 59200 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2010-05-18 19:46 . 2010-05-25 20:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-18 19:46 . 2010-05-25 00:00 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-18 19:46 . 2010-05-25 20:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-18 19:46 . 2010-05-25 00:00 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-18 19:46 . 2010-05-25 20:57 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-18 19:46 . 2010-05-25 00:00 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-19 16:17 . 2010-05-25 00:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-19 16:17 . 2010-05-24 17:58 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-19 16:17 . 2010-05-25 00:37 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-19 16:17 . 2010-05-24 17:58 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-19 16:17 . 2010-05-25 00:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-19 16:17 . 2010-05-24 17:58 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-18 19:54 . 2010-05-25 21:00 5300 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1379995223-1739261550-1418516463-1002_UserData.bin
- 2010-05-24 23:59 . 2010-05-24 23:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-05-25 20:57 . 2010-05-25 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-05-24 23:59 . 2010-05-24 23:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-25 20:57 . 2010-05-25 20:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-05-20 14:07 . 2010-05-25 20:24 162428 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2010-05-19 06:24 . 2010-05-25 03:26 180420 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2010-05-25 00:07 608706 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-05-25 21:05 608706 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-05-25 00:07 109542 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-05-25 21:05 109542 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:22 . 2010-05-25 20:53 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2010-05-24 17:56 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-05-20 01:23 . 2010-05-25 20:37 136842534 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-08-15 16:42 303104 ------w- c:\ddi\OverIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Henry\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-05-18 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-06-25 4489216]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-06-08 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-06-12 317560]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-06-21 53248]
"VWLASU"="c:\program files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe" [2007-07-12 45056]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-03 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-26 137752]
"Skytel"="Skytel.exe" [2007-06-25 1826816]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\users\Henry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech . Product Registration.lnk - c:\program files\Common Files\LogiShrd\eReg\SetPoint\eReg.exe [2009-11-16 517384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-07-25 02:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ea,7b,58,b0,06,f9,ca,01

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-18 691696]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2009-12-02 42368]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 16472]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-06-20 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-20 1089536]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2007-07-13 292152]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2007-07-06 79736]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2007-06-29 200704]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-05 812544]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1379995223-1739261550-1418516463-1002Core.job
- c:\users\Henry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-18 21:26]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1379995223-1739261550-1418516463-1002UA.job
- c:\users\Henry\AppData\Local\Google\Update\GoogleUpdate.exe [2010-05-18 21:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 17:09
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1379995223-1739261550-1418516463-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*1*6*_*b*y*_*¨`\OpenWithList]
@Class="Shell"
.
Completion time: 2010-05-25 17:12:44
ComboFix-quarantined-files.txt 2010-05-25 21:12
ComboFix2.txt 2010-05-25 00:15

Pre-Run: 54,825,101,312 bytes free
Post-Run: 54,565,511,168 bytes free

- - End Of File - - 11A7993E151A84C0E50C79F4E439C06B


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 25 May 2010 - 05:30 PM

This is not a big deal but better to remove it:

Press Windows Key+R to bring up the Run box, type regedit and click OK.
Navigate to the following sub-key:

HKEY_USERS\S-1-5-21-1379995223-1739261550-1418516463-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

Under this sub-key there is another sub-key with a weird name. If you expand the sub-key with the weird name there is a sub-key named OpenWithList

In the right panel of the OpenWithList you see a value referring to Shell under data. This was just to make sure you have the right one. Select the sub-key with the weird name and delete it.

You may use the following tool the coming days for observation and save a log when you notice any unusual internet (download or upload) activity:

Download CurrPorts.
  • Unzip cports.zip to its own folder.
  • Run cports.exe.
  • Under Options the Auto Refresh should be set to 5. second.
  • Close all other open windows.
  • Use Ctrl+A to select all the items.
  • Use Ctrl+S. Alternatively under File menu click Save Selected Items.
  • Give a name and save the log as a txt file.
  • Open the saved log file. Copy and paste the content to your reply.


Note that you don't need to run the tool all the time or save the log. No need to make an obsession out of it.

In case you suspect anything make a log and attach it to your reply.

I'll keep this thread open for one week observation, then we decide about it and even when we close it you have the option to come back and I'll assist you.

#11 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 25 May 2010 - 06:17 PM

Hey farbar, I could not find the the subkey with the weird name under the directory you listed. I have attached the log file outputted from CurrPorts. Thanks again for taking the time to help me with my problem!

Attached Files

  • Attached File  log1.txt   60.97KB   7 downloads

Edited by Tamz411, 25 May 2010 - 06:31 PM.


#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 25 May 2010 - 07:26 PM

Just to let you know there was no suspicious activity. But it shows there was MSN Messenger contact and some Googling. It is better not to initiate and load the internet traffic when you want to make a log to know if there is internet activity without your own initiation.

Let me know if something comes up.

#13 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 25 May 2010 - 08:20 PM

Okay, thanks for all the help farbar, i'll keep you posted if I find something weird.

#14 Tamz411

Tamz411
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 25 May 2010 - 10:49 PM

Hey farbar, the megaupload incident occurred again and this is the log cports created when i ran it. Once again, after resetting the wifi on my laptop, I was able to download again. sad.gif

Attached Files

  • Attached File  log2.txt   23.48KB   10 downloads


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 AM

Posted 26 May 2010 - 05:59 AM

Please next time let me know before resetting your WIFI.

How do you reset your WIFI?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users