Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search hijack


  • This topic is locked This topic is locked
2 replies to this topic

#1 Stongsf1

Stongsf1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 19 June 2010 - 01:35 PM

Let make the story short, I am on It field for 15 years and never see somthing so hard to cure.

any search topic from google will go to random sites.

1) I am using Mcafee 8.5 enterprise on my laptop on Windows XP.

2) install Malwarebyte -- failed

3) Adware - failed

4) spware docter --- can't find it

5) webroot ---- failed

6) Avg --- failed

7) alvis --- failed

8) combofix find catchme and clean it, problem still there.


9) sdfix and find ad check [/b] removed ----problem still there.


10) combofix find no thing, still got hijacked.


first combofix log
ComboFix 10-06-18.03 - sxtea 06/19/2010 10:38:35.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -7:00]
Running from: c:\documents and settings\sxtea.TONG\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-19 16:58 . 2010-06-19 16:58 578560 ----a-w- c:\windows\system32\dllcache\user32.dll
2010-06-19 16:47 . 2010-06-19 16:47 -------- d-----w- c:\windows\ERUNT
2010-06-19 16:45 . 2010-06-19 16:45 -------- d-----w- C:\backups
2010-06-19 16:45 . 2010-06-19 16:45 -------- d-----w- C:\backupreg
2010-06-19 16:45 . 2008-04-14 00:12 146432 ----a-w- C:\editreg.exe
2010-06-19 16:45 . 2008-04-14 00:12 27136 ----a-w- C:\rtsdnif.exe
2010-06-19 16:45 . 2008-04-14 00:12 12288 ----a-w- C:\attrib.exe
2010-06-19 16:45 . 2004-08-04 10:00 9216 ----a-w- C:\dnif.exe
2010-06-19 16:42 . 2010-06-19 16:36 1529241 ----a-w- C:\SDFix.exe
2010-06-19 16:37 . 2010-06-19 17:17 -------- d-----w- C:\SDFix
2010-06-19 04:48 . 2010-06-19 04:48 -------- d-----w- c:\program files\Alwil Software
2010-06-19 04:48 . 2010-06-19 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-19 04:29 . 2010-06-19 04:29 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Threat Expert
2010-06-19 04:03 . 2010-06-19 04:42 -------- d-----w- c:\program files\Spyware Doctor
2010-06-19 04:03 . 2010-06-19 04:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-18 02:14 . 2010-06-18 02:17 -------- d-----w- c:\documents and settings\sherwood\Local Settings\Application Data\Adobe
2010-06-17 05:41 . 2010-06-17 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-17 05:37 . 2010-06-17 05:37 -------- d-----w- c:\program files\AVG
2010-06-16 05:59 . 2010-06-16 05:59 -------- d-----w- c:\program files\Trend Micro
2010-06-16 03:44 . 2010-06-16 03:44 -------- d-----w- c:\program files\Microsoft System Center Virtual Machine Manager 2008 R2
2010-06-16 03:32 . 2010-06-16 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\VMMLogs
2010-06-15 21:25 . 2010-06-19 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-15 14:16 . 2010-06-15 14:16 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Malwarebytes
2010-06-15 14:16 . 2010-06-15 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-15 11:08 . 2010-06-15 11:08 -------- d--h--w- c:\documents and settings\LocalService\Application Data\GTek
2010-06-15 11:04 . 2010-06-15 11:04 -------- d-----w- c:\program files\Sunbelt Software
2010-06-15 05:01 . 2010-06-15 05:01 -------- d-----w- c:\program files\Webroot
2010-06-15 03:26 . 2010-06-15 03:26 -------- d-----w- c:\program files\MSSOAP
2010-06-14 06:00 . 2010-06-15 11:02 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Webroot
2010-06-14 05:01 . 2010-06-17 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-14 05:01 . 2010-06-17 04:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-14 04:38 . 2010-06-14 04:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-13 05:06 . 2010-06-13 05:07 8258496 ----a-w- c:\documents and settings\sxtea.TONG\Application Data\Uniblue\DriverScanner\LatestUpdate.exe
2010-06-12 05:47 . 2010-06-12 05:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-11 16:15 . 2010-06-11 16:15 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\SystemTools
2010-06-11 14:20 . 2010-06-11 14:20 -------- d-----w- c:\documents and settings\SXTEA~1~TON\LOCALS~1
2010-06-11 14:20 . 2010-06-11 14:20 -------- d-----w- c:\documents and settings\SXTEA~1~TON
2010-06-11 07:33 . 2010-06-11 07:55 52322075 ----a-w- c:\documents and settings\sxtea.TONG\Application Data\Uniblue\DriverScanner\Download\pci_ven_8086_dev_4222_subsys_1020808610_5_1_84.exe
2010-06-11 07:32 . 2005-09-01 18:41 92032 ----a-w- c:\windows\system32\drivers\KMW_SYS.sys
2010-06-11 07:32 . 2005-09-01 18:41 5760 ----a-w- c:\windows\system32\drivers\KMW_KBD.sys
2010-06-11 07:32 . 2005-09-01 18:41 10496 ----a-w- c:\windows\system32\drivers\KMW_USB.sys
2010-06-11 07:32 . 2005-09-01 18:41 4992 ----a-w- c:\windows\system32\drivers\KMW_LIB.sys
2010-06-11 07:29 . 2010-06-13 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-06-11 07:29 . 2010-06-11 07:29 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Uniblue
2010-06-11 06:56 . 2008-05-01 23:35 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-06-11 06:56 . 2007-03-16 21:59 54272 ----a-w- c:\windows\system32\drivers\sfng32.sys
2010-06-11 06:55 . 2010-06-11 06:55 -------- d-----w- c:\program files\SigmaTel
2010-06-11 06:55 . 2010-06-11 14:20 -------- d-----w- C:\Intel
2010-06-11 05:26 . 2010-06-11 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-06-11 02:59 . 2010-06-13 06:25 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Deployment
2010-06-10 02:47 . 2010-06-10 02:47 -------- d-----w- c:\program files\SonicWALL
2010-06-09 05:02 . 2010-06-16 17:07 -------- d-----w- c:\windows\system32\NtmsData
2010-06-02 03:29 . 2010-06-02 03:50 -------- d-----w- C:\A867UCHJ3
2010-06-02 03:24 . 2010-06-02 03:24 76083188 ----a-w- C:\A867UCHJ3.zip
2010-06-02 00:41 . 2010-06-02 00:41 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Samsung
2010-05-26 23:41 . 2010-05-26 23:41 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Leadertech
2010-05-26 23:41 . 2010-05-26 23:50 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Smart Label Printer
2010-05-26 23:40 . 2010-05-26 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Smart Label Printer
2010-05-26 23:40 . 2010-05-26 23:40 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Smart Label Printer
2010-05-26 23:40 . 2010-05-26 23:40 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 17:49 . 2009-10-09 01:47 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-19 10:32 . 2007-09-06 16:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-18 07:50 . 2010-04-29 00:21 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\VMware
2010-06-18 07:40 . 2010-05-09 15:55 90432 ----a-w- c:\documents and settings\sherwood\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 16:14 . 2010-06-11 07:32 7304 ----a-w- c:\windows\TMP0001.TMP
2010-06-17 08:17 . 2009-08-24 22:16 74156 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-17 08:16 . 2010-04-24 05:55 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Apple Computer
2010-06-16 03:54 . 2010-05-21 07:15 90432 ----a-w- c:\documents and settings\sherwooda.TONG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 02:56 . 2007-05-14 22:23 362830 ----a-w- c:\windows\system32\nvModes.dat
2010-06-13 06:19 . 2010-06-11 06:56 10032 ----a-w- c:\windows\system32\drivers\sthdae.log
2010-06-13 05:05 . 2010-06-13 05:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-06-12 01:25 . 2007-05-14 22:46 -------- d-----w- c:\program files\Google
2010-06-11 06:55 . 2007-05-14 22:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-31 10:53 . 2010-05-05 16:32 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Download Manager
2010-05-20 19:16 . 2010-04-20 19:21 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Ahead
2010-05-20 19:14 . 2010-03-28 05:30 90432 ----a-w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 05:10 . 2007-11-06 18:31 -------- d-----w- c:\program files\Veritas
2010-05-18 05:09 . 2007-11-06 18:32 -------- d-----w- c:\program files\Common Files\Veritas Shared
2010-05-16 05:47 . 2007-11-06 18:35 -------- d-----w- c:\program files\Symantec
2010-05-16 05:45 . 2007-11-06 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Veritas
2010-05-16 05:31 . 2010-05-16 05:31 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\PC Suite
2010-05-07 17:36 . 2010-05-07 17:36 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\CyberLink
2010-05-07 07:51 . 2010-05-07 07:15 -------- d-----w- c:\program files\Boson Router Simulator
2010-05-07 07:39 . 2010-05-07 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson Software
2010-05-07 00:14 . 2010-05-07 00:12 91280 ----a-w- c:\documents and settings\sherwooda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 15:19 . 2010-04-29 15:19 25214 ----a-r- c:\documents and settings\sxtea.TONG\Application Data\Microsoft\Installer\{8AE14D16-E81C-4B17-9B81-84B73D6B8049}\ARPPRODUCTICON.exe
2010-04-29 01:31 . 2007-06-14 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-26 23:14 . 2007-05-20 04:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-26 22:29 . 2010-04-26 22:29 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Media Player Classic
2008-02-21 05:50 . 2007-05-20 04:39 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-21 05:50 . 2007-05-20 04:39 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-21 05:50 . 2007-05-20 04:39 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-21 05:50 . 2007-05-20 04:39 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-21 05:50 . 2007-05-20 04:39 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-14 08:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-06-19_11.29.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-19 16:47 . 2010-06-19 16:47 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2010-06-19 16:48 . 2010-06-19 16:48 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-07-16 18:20 . 2010-06-19 17:54 212339 c:\windows\system32\inetsrv\MetaBase.bin
+ 2004-08-11 22:06 . 2010-06-19 16:30 330688 c:\windows\system32\FNTCACHE.DAT
- 2004-08-11 22:06 . 2010-05-18 04:55 330688 c:\windows\system32\FNTCACHE.DAT
+ 2010-06-19 16:47 . 2008-08-07 22:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2010-06-19 16:48 . 2008-08-07 22:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2010-06-19 16:47 . 2010-06-19 16:47 1015808 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2010-06-19 16:48 . 2010-06-19 16:48 1015808 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-04-02 1103744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"PMTray"="d:\program files\Dell\OpenManage\Network Manager\oware\bin\pmtray.exe" [2010-06-16 61440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-3-14 2756608]
SmartCapture.lnk - d:\smart\slpcap.exe [2009-11-23 75136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-01-15 01:02 229376 ----a-w- c:\progra~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Tencent\\QQMusic\\QzoneMusic.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [7/3/2008 4:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [7/3/2008 4:31 PM 5248]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [7/3/2008 1:26 PM 38448]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\download\Microsoft\VCdRom.sys [4/25/2010 12:51 AM 8576]
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [5/21/2007 1:53 PM 3117568]
R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [10/21/2009 11:27 AM 22600]
R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [7/9/2008 1:08 AM 35107]
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.SYS [1/13/2010 12:08 AM 22144]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [1/2/2009 11:46 PM 36608]
S3 GPMON_SRV;Group Policy Monitor;c:\windows\system32\GPMON\GPMonSrv.exe [3/10/2003 5:56 PM 67584]
S3 IACtrl;IA Analysing v2.0;d:\program files\Pointdev\IDEAL Administration\IACtrl.exe [7/22/2008 11:25 AM 118784]
S3 OWProcMan;Dell OpenManage Network Manager;d:\progra~1\dell\openma~1\networ~1\oware\bin\owprocman.exe [6/16/2010 9:46 AM 45056]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]
S3 vsinstdv;vsinstdv;\??\c:\docume~1\sxte\LOCALS~1\Temp\{D6E88299-45C1-4794-A6B9-4226C3F77A47}\vsinstdv.sys --> c:\docume~1\sxte\LOCALS~1\Temp\{D6E88299-45C1-4794-A6B9-4226C3F77A47}\vsinstdv.sys [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [1/2/2009 11:46 PM 233472]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
UnknownUnknown dsload;dsload; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - dsgrab_01c99d15e37ae188

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://sslvpn.onlok.org/NELX.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase71/OrgPubX.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 10:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0B7EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f57cb8
\Driver\atapi -> 0x8ae59e98
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9dacbb0
PacketIndicateHandler -> NDIS.sys @ 0xb9db9a21
SendHandler -> NDIS.sys @ 0xb9d9787b
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\windows\system32\WININET.dll
c:\progra~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1352)
c:\windows\system32\WININET.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2680)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
.
**************************************************************************
.
Completion time: 2010-06-19 10:59:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 17:59
ComboFix2.txt 2010-06-19 11:35

Pre-Run: 12,577,734,656 bytes free
Post-Run: 12,547,461,120 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - A12562A9FD0BA23BE538697B8151A81E


SDfix log


SDFix: Version 1.240
Run by sxtea on Sat 06/19/2010 at 10:00 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\tmp93.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

driver loading error catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 10:14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001bdc000329]
"0023d6293c3c"=hex:80,04,e6,62,27,1c,38,42,d4,2c,63,16,26,6c,6c,0f
"00237af7353b"=hex:53,41,01,7a,aa,e4,32,0b,c0,a1,86,dd,0c,f7,09,52
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001bdc000329]
"0023d6293c3c"=hex:80,04,e6,62,27,1c,38,42,d4,2c,63,16,26,6c,6c,0f
"00237af7353b"=hex:53,41,01,7a,aa,e4,32,0b,c0,a1,86,dd,0c,f7,09,52
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001bdc000329]
"0023d6293c3c"=hex:80,04,e6,62,27,1c,38,42,d4,2c,63,16,26,6c,6c,0f
"00237af7353b"=hex:53,41,01,7a,aa,e4,32,0b,c0,a1,86,dd,0c,f7,09,52
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CE104917-EB06-42D0-ACD6-CE68D6D1A95E}]
"LeaseObtainedTime"=dword:4c1cfab3
"T1"=dword:4c1d01bb
"T2"=dword:4c1d0701
"LeaseTerminatesTime"=dword:4c1d08c3
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CE104917-EB06-42D0-ACD6-CE68D6D1A95E}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:4c1cfab3
"T1"=dword:4c1d01bb
"T2"=dword:4c1d0701
"LeaseTerminatesTime"=dword:4c1d08c3
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001bdc000329]
"0023d6293c3c"=hex:80,04,e6,62,27,1c,38,42,d4,2c,63,16,26,6c,6c,0f
"00237af7353b"=hex:53,41,01,7a,aa,e4,32,0b,c0,a1,86,dd,0c,f7,09,52

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"D:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="D:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0"
"D:\\Program Files\\iTunes\\iTunes.exe"="D:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*:Enabled:SAgent4"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"="C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe:*:Enabled:KTF MUSIC AoD Server"
"C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"="C:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe:*:Enabled:KTF MUSIC VoD Server"
"C:\\Program Files\\Tencent\\QQMusic\\QzoneMusic.exe"="C:\\Program Files\\Tencent\\QQMusic\\QzoneMusic.exe:*:Enabled:Qzone-?c3.0 Beta02"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"="D:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe:*:Enabled:ŽETQQ2009"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"D:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="D:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Sun 13 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Thu 16 Aug 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 11 Jan 2010 47,616 ...H. --- "C:\Documents and Settings\sxte\My Documents\~WRL0001.tmp"
Sat 19 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Wed 5 Jul 2000 0 A.SHR --- "C:\Documents and Settings\sxtea.TONG\Desktop\Wipe Boot disk\EBD.SYS"
Fri 21 Aug 2009 4,928,376 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\151487211cd04eae18dc7d2484909532\BIT16.tmp"
Sat 2 Jan 2010 486,912 ...H. --- "C:\Documents and Settings\sxte\Application Data\Microsoft\Word\~WRL3861.tmp"
Sun 4 Apr 2010 221,184 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL0005.tmp"
Thu 8 Apr 2010 73,728 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL0006.tmp"
Thu 8 Apr 2010 54,272 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL0031.tmp"
Wed 7 Apr 2010 46,592 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL0263.tmp"
Thu 8 Apr 2010 164,864 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL0367.tmp"
Thu 8 Apr 2010 144,384 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL1205.tmp"
Wed 7 Apr 2010 125,952 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL1823.tmp"
Thu 8 Apr 2010 81,408 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL2780.tmp"
Wed 7 Apr 2010 75,264 ...H. --- "C:\Documents and Settings\sxtea.TONG\Application Data\Microsoft\Word\~WRL2968.tmp"
Mon 14 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 14 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Mon 14 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Mon 14 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Mon 14 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Mon 14 May 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!




Second combofix log

ComboFix 10-06-18.03 - sxtea 9/2010 Sat 4:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.950.852.1033.18.2046.1483 [GMT -7:00]
m: \\dc\g\Software\Security\Spyware doctor\ComboFix.exe
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
* rn٦bB椤

.

((((((((((((((((((((((((((((((((((((((( QRɮ )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\sherwood\Application Data\chrtmp
c:\documents and settings\sxtea.TONG\Application Data\chrtmp
c:\documents and settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-00610642-2513-4ca9-8642-915e3364241a
c:\documents and settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-06c8babd-a20c-49d4-aa70-2916643785d5
c:\documents and settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-8893323e-893a-4325-827a-063174277811
c:\documents and settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-9455e832-bbef-4f61-a875-7e7e00bf323b
C:\Thumbs.db
c:\windows\system32\AutoRun.inf
c:\windows\system32\Cache
c:\windows\system32\st325602.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( X/A )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FILEMON
-------\Legacy_PASSWORD


((((((((((((((((((((((((( 2010-05-19 2010-06-19 sɮ )))))))))))))))))))))))))))))))
.

2010-06-19 04:48 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-19 04:48 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-19 04:48 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-19 04:48 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-19 04:48 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-19 04:48 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-19 04:48 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-19 04:48 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-19 04:48 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-19 04:48 . 2010-06-19 04:48 -------- d-----w- c:\program files\Alwil Software
2010-06-19 04:48 . 2010-06-19 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-19 04:29 . 2010-06-19 04:29 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Threat Expert
2010-06-19 04:03 . 2010-06-19 04:42 -------- d-----w- c:\program files\Spyware Doctor
2010-06-19 04:03 . 2010-06-19 04:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-18 02:14 . 2010-06-18 02:17 -------- d-----w- c:\documents and settings\sherwood\Local Settings\Application Data\Adobe
2010-06-17 05:41 . 2010-06-17 05:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2010-06-17 05:37 . 2010-06-17 05:37 -------- d-----w- c:\program files\AVG
2010-06-16 05:59 . 2010-06-16 05:59 -------- d-----w- c:\program files\Trend Micro
2010-06-16 03:44 . 2010-06-16 03:44 -------- d-----w- c:\program files\Microsoft System Center Virtual Machine Manager 2008 R2
2010-06-16 03:32 . 2010-06-16 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\VMMLogs
2010-06-15 21:25 . 2010-06-19 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-15 14:16 . 2010-06-15 14:16 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Malwarebytes
2010-06-15 14:16 . 2010-06-15 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-15 11:08 . 2010-06-15 11:08 -------- d--h--w- c:\documents and settings\LocalService\Application Data\GTek
2010-06-15 11:04 . 2010-06-15 11:04 -------- d-----w- c:\program files\Sunbelt Software
2010-06-15 05:01 . 2010-06-15 05:01 -------- d-----w- c:\program files\Webroot
2010-06-15 03:26 . 2010-06-15 03:26 -------- d-----w- c:\program files\MSSOAP
2010-06-14 06:00 . 2010-06-15 11:02 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Webroot
2010-06-14 05:01 . 2010-06-17 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-14 05:01 . 2010-06-17 04:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-14 04:38 . 2010-06-14 04:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-13 05:06 . 2010-06-13 05:07 8258496 ----a-w- c:\documents and settings\sxtea.TONG\Application Data\Uniblue\DriverScanner\LatestUpdate.exe
2010-06-12 05:47 . 2010-06-12 05:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-11 16:15 . 2010-06-11 16:15 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\SystemTools
2010-06-11 14:20 . 2010-06-11 14:20 -------- d-----w- c:\documents and settings\SXTEA~1~TON\LOCALS~1
2010-06-11 14:20 . 2010-06-11 14:20 -------- d-----w- c:\documents and settings\SXTEA~1~TON
2010-06-11 07:33 . 2010-06-11 07:55 52322075 ----a-w- c:\documents and settings\sxtea.TONG\Application Data\Uniblue\DriverScanner\Download\pci_ven_8086_dev_4222_subsys_1020808610_5_1_84.exe
2010-06-11 07:32 . 2005-09-01 18:41 92032 ----a-w- c:\windows\system32\drivers\KMW_SYS.sys
2010-06-11 07:32 . 2005-09-01 18:41 5760 ----a-w- c:\windows\system32\drivers\KMW_KBD.sys
2010-06-11 07:32 . 2005-09-01 18:41 10496 ----a-w- c:\windows\system32\drivers\KMW_USB.sys
2010-06-11 07:32 . 2005-09-01 18:41 4992 ----a-w- c:\windows\system32\drivers\KMW_LIB.sys
2010-06-11 07:29 . 2010-06-13 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-06-11 07:29 . 2010-06-11 07:29 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Uniblue
2010-06-11 06:56 . 2008-05-01 23:35 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-06-11 06:56 . 2007-03-16 21:59 54272 ----a-w- c:\windows\system32\drivers\sfng32.sys
2010-06-11 06:55 . 2010-06-11 06:55 -------- d-----w- c:\program files\SigmaTel
2010-06-11 06:55 . 2010-06-11 14:20 -------- d-----w- C:\Intel
2010-06-11 05:26 . 2010-06-11 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz
2010-06-11 02:59 . 2010-06-13 06:25 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Deployment
2010-06-10 02:47 . 2010-06-10 02:47 -------- d-----w- c:\program files\SonicWALL
2010-06-09 05:02 . 2010-06-16 17:07 -------- d-----w- c:\windows\system32\NtmsData
2010-06-02 03:29 . 2010-06-02 03:50 -------- d-----w- C:\A867UCHJ3
2010-06-02 03:24 . 2010-06-02 03:24 76083188 ----a-w- C:\A867UCHJ3.zip
2010-06-02 00:41 . 2010-06-02 00:41 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Samsung
2010-05-26 23:41 . 2010-05-26 23:41 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Leadertech
2010-05-26 23:41 . 2010-05-26 23:50 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Smart Label Printer
2010-05-26 23:40 . 2010-05-26 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Smart Label Printer
2010-05-26 23:40 . 2010-05-26 23:40 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Smart Label Printer
2010-05-26 23:40 . 2010-05-26 23:40 -------- d-----w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( bTӤ뤺Qק諸ɮ ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 11:24 . 2009-10-09 01:47 12 ----a-w- c:\windows\bthservsdp.dat
2010-06-19 10:32 . 2007-09-06 16:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-18 07:50 . 2010-04-29 00:21 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\VMware
2010-06-18 07:40 . 2010-05-09 15:55 90432 ----a-w- c:\documents and settings\sherwood\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-17 16:14 . 2010-06-11 07:32 7304 ----a-w- c:\windows\TMP0001.TMP
2010-06-17 08:17 . 2009-08-24 22:16 74156 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-17 08:16 . 2010-04-24 05:55 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Apple Computer
2010-06-16 03:54 . 2010-05-21 07:15 90432 ----a-w- c:\documents and settings\sherwooda.TONG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-15 02:56 . 2007-05-14 22:23 362830 ----a-w- c:\windows\system32\nvModes.dat
2010-06-13 06:19 . 2010-06-11 06:56 10032 ----a-w- c:\windows\system32\drivers\sthdae.log
2010-06-13 05:05 . 2010-06-13 05:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-06-12 01:25 . 2007-05-14 22:46 -------- d-----w- c:\program files\Google
2010-06-11 06:55 . 2007-05-14 22:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-31 10:53 . 2010-05-05 16:32 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Download Manager
2010-05-20 19:16 . 2010-04-20 19:21 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Ahead
2010-05-20 19:14 . 2010-03-28 05:30 90432 ----a-w- c:\documents and settings\sxtea.TONG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-18 05:10 . 2007-11-06 18:31 -------- d-----w- c:\program files\Veritas
2010-05-18 05:09 . 2007-11-06 18:32 -------- d-----w- c:\program files\Common Files\Veritas Shared
2010-05-16 05:47 . 2007-11-06 18:35 -------- d-----w- c:\program files\Symantec
2010-05-16 05:45 . 2007-11-06 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Veritas
2010-05-16 05:31 . 2010-05-16 05:31 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\PC Suite
2010-05-07 17:36 . 2010-05-07 17:36 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\CyberLink
2010-05-07 07:51 . 2010-05-07 07:15 -------- d-----w- c:\program files\Boson Router Simulator
2010-05-07 07:39 . 2010-05-07 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Boson Software
2010-05-07 00:14 . 2010-05-07 00:12 91280 ----a-w- c:\documents and settings\sherwooda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 15:19 . 2010-04-29 15:19 25214 ----a-r- c:\documents and settings\sxtea.TONG\Application Data\Microsoft\Installer\{8AE14D16-E81C-4B17-9B81-84B73D6B8049}\ARPPRODUCTICON.exe
2010-04-29 01:31 . 2007-06-14 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-04-26 23:14 . 2007-05-20 04:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-26 22:29 . 2010-04-26 22:29 -------- d-----w- c:\documents and settings\sxtea.TONG\Application Data\Media Player Classic
2008-02-21 05:50 . 2007-05-20 04:39 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-02-21 05:50 . 2007-05-20 04:39 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-02-21 05:50 . 2007-05-20 04:39 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-02-21 05:50 . 2007-05-20 04:39 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-02-21 05:50 . 2007-05-20 04:39 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-14 01:40 . !HASH: COULD NOT OPEN FILE !!!!! . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( nnJI ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*`N* ťջPXkʬٵnN|Q
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-06-29 1032192]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" [2003-06-04 99840]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 169264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2010-04-02 1103744]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"PMTray"="d:\program files\Dell\OpenManage\Network Manager\oware\bin\pmtray.exe" [2010-06-16 61440]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-3-14 2756608]
SmartCapture.lnk - d:\smart\slpcap.exe [2009-11-23 75136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-01-15 01:02 229376 ----a-w- c:\progra~1\Stardock\OBJECT~2\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Tencent\\QQMusic\\QzoneMusic.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"d:\\Program Files\\Tencent\\QQ\\Bin\\QQ.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [7/3/2008 4:31 PM 160640]
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [7/3/2008 4:31 PM 5248]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [7/3/2008 1:26 PM 38448]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/18/2010 9:48 PM 164048]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\download\Microsoft\VCdRom.sys [4/25/2010 12:51 AM 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/18/2010 9:48 PM 19024]
R2 MSExchangeMGMT;Microsoft Exchange Management;c:\program files\Exchsrvr\bin\exmgmt.exe [5/21/2007 1:53 PM 3117568]
R3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.SYS [1/13/2010 12:08 AM 22144]
R3 NxDrv;SonicWALL NetExtender Adapter;c:\windows\system32\drivers\NxDrv.sys [10/21/2009 11:27 AM 22600]
R3 vdiskbus;Virtual Disk Bus;c:\windows\system32\drivers\VDiskBus.sys [7/9/2008 1:08 AM 35107]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [1/2/2009 11:46 PM 36608]
S3 GPMON_SRV;Group Policy Monitor;c:\windows\system32\GPMON\GPMonSrv.exe [3/10/2003 5:56 PM 67584]
S3 IACtrl;IA Analysing v2.0;d:\program files\Pointdev\IDEAL Administration\IACtrl.exe [7/22/2008 11:25 AM 118784]
S3 OWProcMan;Dell OpenManage Network Manager;d:\progra~1\dell\openma~1\networ~1\oware\bin\owprocman.exe [6/16/2010 9:46 AM 45056]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 4:43 PM 32408]
S3 vsinstdv;vsinstdv;\??\c:\docume~1\sxte\LOCALS~1\Temp\{D6E88299-45C1-4794-A6B9-4226C3F77A47}\vsinstdv.sys --> c:\docume~1\sxte\LOCALS~1\Temp\{D6E88299-45C1-4794-A6B9-4226C3F77A47}\vsinstdv.sys [?]
S4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [1/2/2009 11:46 PM 233472]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 WRConsumerService;Webroot Client Service;"c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
UnknownUnknown dsload;dsload; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - dsgrab_01c99d15e37ae188

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- ӥ~y -------
.
uStart Page = hxxp://www.google.com/
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://sslvpn.onlok.org/NELX.cab
DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} - hxxp://www.aquire.com/codebase71/OrgPubX.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-KB921896_SQLTools9 - c:\windows\SQLTools9_KB921896_ENU\Hotfix.exe
AddRemove-SMS Admin UI - c:\smsadmin\bin\i386\SETUP.EXE
AddRemove-Stardock Central - c:\progra~1\Stardock\SDCENT~1\UNWISE.EXE
AddRemove-{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F} - c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 04:28
Windows 5.1.2600 Service Pack 3 NTFS

yQ꺶i{ ...

yQ꺱Ұʲ ...

yQ꺤 ...

y
Qɮ: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0B2EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f57cb8
\Driver\atapi -> 0x8aac6ad8
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- Bi{UʺA챵w ---------------------

- - - - - - - > 'winlogon.exe'(1564)
c:\windows\system32\WININET.dll
c:\progra~1\Stardock\OBJECT~2\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(1624)
c:\windows\system32\WININET.dll
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(1056)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
d:\progra~1\JAMSOF~1\TREESI~1\FSizeCol.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ LBi{ ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\conime.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
.
**************************************************************************
.
ɶ: 2010-06-19 04:35:52 - qwsҰ
ComboFix-quarantined-files.txt 2010-06-19 11:35

Pre-Run: 12,607,426,560 bytes free
Post-Run: 12,826,636,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-CHT.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 932202F51D69E96EAA9EBB27BD973641


ComboFix-quarantined-files.txt

2010-06-19 11:34:41 . 2010-06-19 11:34:41 2,008 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-{C427E746-4EC9-4E3C-AACB-C6BB1F714D7F}.reg.dat
2010-06-19 11:34:40 . 2010-06-19 11:34:40 560 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Stardock Central.reg.dat
2010-06-19 11:34:40 . 2010-06-19 11:34:40 720 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-SMS Admin UI.reg.dat
2010-06-19 11:34:40 . 2010-06-19 11:34:40 1,468 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-KB921896_SQLTools9.reg.dat
2010-06-19 11:33:16 . 2010-06-19 11:33:16 160 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Picasa Media Detector.reg.dat
2010-06-19 11:33:11 . 2010-06-19 11:33:12 97 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NPSStartup.reg.dat
2010-06-19 11:18:38 . 2010-06-19 11:18:38 806 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_PASSWORD.reg.dat
2010-06-19 11:18:38 . 2010-06-19 11:18:38 798 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_FILEMON.reg.dat
2010-06-19 11:18:04 . 2010-06-19 17:45:35 16,345 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-06-19 10:59:04 . 2010-06-19 17:38:33 235 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-06-13 06:28:32 . 2007-08-21 16:58:12 146,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\st325602.dll.vir
2010-05-21 07:35:37 . 2010-05-21 07:35:37 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\sherwood\Application Data\chrtmp.vir
2010-05-21 06:47:38 . 2010-05-21 06:47:38 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\sxtea.TONG\Application Data\chrtmp.vir
2010-04-29 01:32:22 . 2010-04-29 01:32:22 11,894 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-06c8babd-a20c-49d4-aa70-2916643785d5.vir
2010-04-29 01:31:56 . 2010-04-29 01:32:21 658,024 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-00610642-2513-4ca9-8642-915e3364241a.vir
2010-04-29 01:31:56 . 2010-04-29 01:31:56 477 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-8893323e-893a-4325-827a-063174277811.vir
2010-04-29 01:31:47 . 2010-04-29 01:31:56 262 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\sxtea.TONG\Local Settings\Temporary Internet Files\vci-9455e832-bbef-4f61-a875-7e7e00bf323b.vir
2007-09-05 16:12:21 . 2008-01-25 19:22:10 5,632 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir
2007-05-14 22:47:01 . 2007-06-08 16:47:13 2,150 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir
2007-04-13 09:50:00 . 2007-04-13 09:50:00 77 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir


Thanks for your help!

Sherwood

Edited by Blade Zephon, 19 June 2010 - 07:06 PM.
Removed formatting to make post readable ~BZ


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:40 AM

Posted 25 June 2010 - 07:59 AM

Hi Stongsf1,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

Please tell me if you have still the issue.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:40 AM

Posted 30 June 2010 - 04:48 AM

This thread will now be closed due to lack of activity.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users