Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS.Hijacker


  • This topic is locked This topic is locked
25 replies to this topic

#1 offroadguy32

offroadguy32

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 11 July 2010 - 12:08 AM

Hey there, i've been at this thing for a few weeks now trying to get it removed. Basically whats going on is that the browser gets hi jacked through the obvious DNS.Hijacker virus sending me to random web sites and google analytics. It shows up on Mbam, spybot, and kaspersky and supposedly gets removed each time, I'll give it about 10min after reboot before everything starts falling apart again and im back to square one. I've already run Mbam, Kaspersky, Smitfraud, Spybot, and Combo fix (ive had training i work for a computer company in Boulder CO), and a few other rootkit sniffers and i'm at my wits end, this thing will not go away. So this is pretty much the final straw before i back up the important files and wipe the hard drive. Any kind of help would be much appreciated thanks.

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 11 July 2010 - 02:17 AM

Hello offroadguy32. I am moving this topic to the specialized Malware Removal forum for advanced removal routines.

My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your nextreply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


***************************************************

QUOTE
I've already run Mbam, Kaspersky, Smitfraud, Spybot, and Combo fix


Please post the log generated by ComboFix It is located at C:\ComboFix.txt

~Blade

In your next reply, please include the following:
DDS.txt
Attach.txt
GMER.log
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 11 July 2010 - 07:42 PM

okie dokie here they are in the order you wish


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Sysadmin at 17:49:12.87 on Sun 07/11/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1794 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Sysadmin\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Bgutimenipavurog] rundll32.exe "c:\windows\bdmtcb.dll",Startup
mRun: [Hcontrol] c:\windows\atk0100\Hcontrol.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CreateCD_Reminder] c:\windows\sonysys\vaio recovery\reminder.exe
mRun: [TVTunerLib] c:\program files\common files\sony shared\tvtunerlib\TVTLInstTool.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [VZRemoteCommander] c:\program files\sony\vaio zone remote commander\AvRmtCtr.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [FixCamera] c:\windows\FixCamera.exe
mRun: [tsnp2std] c:\windows\tsnp2std.exe
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [Dyixumiforawum] rundll32.exe "c:\windows\atotohekafomohu.dll",Startup
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\record~1.lnk - c:\program files\sony\vaio entertainment\VzTrayIcon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: VESWinlogon - VESWinlogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sysadmin\applic~1\mozilla\firefox\profiles\k9xy716l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\sysadmin\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\sysadmin\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2005-3-3 71961]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-12 24652]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [2005-3-3 24618]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2010-07-11 04:25:13 50176 ----a-w- c:\windows\system32\ernel32.dll
2010-07-06 02:37:13 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-07-06 02:35:16 0 d-----w- c:\windows\ERUNT
2010-07-06 02:33:45 0 d-----w- C:\SDFix
2010-07-06 02:14:24 4224 ----a-w- c:\windows\system32\drivers\tmprdpcdd.sys
2010-07-06 02:14:24 0 d-----w- C:\backup
2010-07-04 00:43:31 0 d-sha-r- C:\cmdcons
2010-06-28 16:01:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:43:24 0 d-----w- C:\spoolerlogs
2010-06-22 14:00:06 50176 ----a-w- c:\docume~1\sysadmin\applic~1\ef99e6ac.exe

==================== Find3M ====================

2010-07-11 23:49:12 772096 ----a-w- c:\windows\system32\drivers\zihlddu.sys
2010-06-30 15:30:18 47616 ----a-w- c:\windows\system32\dvdptify.dll
2010-04-26 21:58:12 256512 ----a-w- c:\windows\PEV.exe

============= FINISH: 17:49:28.85 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/11/2008 12:21:36 PM
System Uptime: 7/11/2010 5:43:00 PM (0 hours ago)
Processor: Intel® Pentium® M processor 2.00GHz | N/A | 1995/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 112 GiB total, 98.626 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP84: 5/25/2010 10:54:47 PM - System Checkpoint
RP85: 6/10/2010 3:05:29 PM - System Checkpoint
RP86: 6/13/2010 8:45:36 PM - System Checkpoint
RP87: 6/17/2010 9:38:18 PM - System Checkpoint
RP88: 6/23/2010 6:48:47 PM - ComboFix created restore point
RP89: 6/28/2010 10:01:31 AM - Installed Java™ 6 Update 20
RP90: 7/1/2010 10:45:49 PM - System Checkpoint
RP91: 7/8/2010 10:37:59 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 3.0
Adobe Reader 7.0
AIM 6
AIM Search
AIM Toolbar
Apple Mobile Device Support
Apple Software Update
Ares 2.1.1
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATK0100 ACPI UTILITY
Bonjour
Click to DVD 2.0.03 Menu Data
Click to DVD 2.4.02
Comcast High-Speed Internet Install Wizard
CONNECT
Desktop Doctor
Download Updater (AOL LLC)
DVgate Plus
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Image Converter 2
Intel® PROSet/Wireless Software
InterVideo WinDVD for VAIO
InterVideo WinDVDX
ISScript
iTunes
J2SE Runtime Environment 5.0
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 7
Malwarebytes' Anti-Malware
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886904)
Microsoft Data Access Components KB870669
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mMHouse
MoodLogic
Move Media Player
Mozilla Firefox (3.6.6)
mPfMgr
mProSafe
mWlsSafe
mXML
Netscape Internet Service Setup
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
OpenOffice.org 3.0
PictureGear Studio 2.0
Quicken 2005
QuickTime
Realtek High Definition Audio Driver
Setting Utility Series
Sonic RecordNow!
SonicStage 3.0
SonicStage Mastering Studio 1.4
SonicStage Mastering Studio Audio Filter
SonicStage Mastering Studio Audio Filter Custom Preset
SonicStage Mastering Studio Plugins
SonicStage MP3 Add-on program
Sony Certificate PCH
Sony MP4 Shared Library
Sony Utilities DLL
Sony Video Shared Library
uninstall
VAIO Control Center
VAIO Entertainment Platform
VAIO Event Service
VAIO Launcher
VAIO Light Flo Wallpaper
VAIO Media 4.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 4.1
VAIO Media Redistribution 4.0
VAIO Media Registration Tool 4.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Motion SD Wide Contents
VAIO Power Management
VAIO Registration
VAIO Survey Standalone
VAIO TV Tuner Library 1.4
VAIO Update 2
VAIO Wireless Utility
VAIO Zone
VAIO Zone Remote Commander
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB307154
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Wireless Switch Setting Utility
Yahoo! Messenger
ZVC7500 PC CAMERA

==== Event Viewer Messages From Past Week ========

7/9/2010 11:04:26 AM, error: Dhcp [1002] - The IP address lease 192.168.0.4 for the Network Card with network address 000E35E2A989 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/8/2010 10:02:29 PM, error: Dhcp [1002] - The IP address lease 192.168.2.178 for the Network Card with network address 000E35E2A989 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/7/2010 11:39:47 AM, error: Service Control Manager [7022] - The VAIO Entertainment File Import Service service hung on starting.
7/7/2010 11:37:45 AM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 000E35E2A989 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/5/2010 8:34:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/5/2010 8:34:23 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DMICall Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip WS2IFSL
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The VAIO Entertainment File Import Service service depends on the VAIO Entertainment Database Service service which failed to start because of the following error: The dependency service or group failed to start.
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2010 8:34:23 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/5/2010 8:33:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/5/2010 8:33:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/5/2010 8:27:49 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
7/4/2010 2:54:15 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/4/2010 2:51:43 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
7/10/2010 9:50:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service VAIO Event Service with arguments "" in order to run the server: {DB56B1ED-6BC2-4CD6-BB65-BA20C8BD6F96}
7/10/2010 9:27:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
7/10/2010 9:21:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: DMICall Fips intelppm

==== End Of File ===========================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-11 18:33:38
Windows 5.1.2600 Service Pack 2
Running: 3i8cgvmx.exe; Driver: C:\DOCUME~1\Sysadmin\LOCALS~1\Temp\kwayqpod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text zihlddu.sys F7435012 94 Bytes [FF, 35, 0B, 53, 43, F7, 8F, ...]
.text zihlddu.sys F7435071 409 Bytes [00, F6, C2, F2, 84, DD, 68, ...]
.text zihlddu.sys F743520B 222 Bytes [74, 24, 1C, 8F, 45, 00, 68, ...]
.text zihlddu.sys F74352EA 18 Bytes [66, 89, 45, 00, 66, C7, 04, ...]
.text zihlddu.sys F7435318 497 Bytes [48, C6, 04, 24, 36, F8, C6, ...]
.text ...
? C:\WINDOWS\system32\drivers\zihlddu.sys A device attached to the system is not functioning.
PAGE Ntfs.sys F7B77E88 4 Bytes CALL 8A7A3BD1

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A7C19C8

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] zihlddu <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\zihlddu@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\zihlddu@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\zihlddu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\zihlddu@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\zihlddu@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\zihlddu@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zihlddu@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zihlddu@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\zihlddu@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\zihlddu@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\zihlddu@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\zihlddu@Group Boot Bus Extender


ComboFix 10-07-10.01 - Sysadmin 07/11/2010 18:35:24.9.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1744 [GMT -6:00]
Running from: c:\documents and settings\Sysadmin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\Y55o5.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-11 03:16 . 2010-07-11 03:23 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\lpssjmwpl
2010-07-08 02:47 . 2010-07-08 03:15 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\nbhoonrie
2010-07-06 02:37 . 2010-07-06 02:37 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-07-06 02:35 . 2010-07-06 02:35 -------- d-----w- c:\windows\ERUNT
2010-07-06 02:33 . 2010-07-06 02:45 -------- d-----w- C:\SDFix
2010-07-06 02:14 . 2010-07-06 02:14 -------- d-----w- C:\backup
2010-07-06 02:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\tmprdpcdd.sys
2010-06-29 04:39 . 2010-06-29 04:39 503808 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\msvcp71.dll
2010-06-29 04:39 . 2010-06-29 04:39 499712 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\jmc.dll
2010-06-29 04:39 . 2010-06-29 04:39 348160 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\msvcr71.dll
2010-06-29 04:39 . 2010-06-29 04:39 61440 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24159f21-n\decora-sse.dll
2010-06-29 04:39 . 2010-06-29 04:39 12800 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24159f21-n\decora-d3d.dll
2010-06-28 16:01 . 2010-06-28 16:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:43 . 2010-06-23 17:43 -------- d-----w- C:\spoolerlogs
2010-06-22 14:00 . 2010-06-22 14:00 50176 ----a-w- c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-12 00:38 . 2010-05-28 16:52 772096 ----a-w- c:\windows\system32\drivers\zihlddu.sys
2010-07-04 00:26 . 2010-01-19 16:34 0 ----a-w- c:\windows\Wqisit.bin
2010-07-01 23:40 . 2009-02-11 20:19 1 ----a-w- c:\documents and settings\Sysadmin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-30 15:30 . 2010-05-28 16:51 47616 ----a-w- c:\windows\system32\dvdptify.dll
2010-06-28 16:02 . 2005-03-04 03:16 -------- d-----w- c:\program files\Common Files\Java
2010-06-28 16:01 . 2005-03-04 03:16 -------- d-----w- c:\program files\Java
2010-06-25 03:27 . 2005-03-04 18:50 -------- d-----w- c:\program files\Google
2010-06-24 02:24 . 2009-01-15 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-20 02:28 . 2010-01-19 16:34 120 ----a-w- c:\windows\Vsezunazil.dat
2010-05-30 03:40 . 2010-05-30 03:40 -------- d-----w- c:\documents and settings\Sysadmin\Application Data\Yahoo!
2010-05-30 03:37 . 2010-05-30 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-30 03:36 . 2010-05-30 03:35 -------- d-----w- c:\program files\Yahoo!
2010-05-28 16:51 . 2010-05-28 16:51 20 ----a-w- c:\documents and settings\NetworkService\Application Data\vqdlkr.dat
2010-04-29 21:39 . 2009-01-15 05:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-01-15 05:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 22:45 . 2010-05-30 03:36 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_17.01.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 01:41 . 2009-07-12 01:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2005-03-03 22:39 . 2010-05-23 14:38 60714 c:\windows\system32\perfc009.dat
- 2005-03-03 22:39 . 2009-10-28 16:52 60714 c:\windows\system32\perfc009.dat
+ 2010-06-06 05:12 . 2010-06-06 05:12 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2005-03-03 23:57 . 2008-12-11 18:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-03 23:57 . 2010-05-28 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-03 23:57 . 2010-05-28 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-03-03 23:57 . 2008-12-11 18:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-03-03 22:40 . 2004-08-04 12:00 16280 c:\windows\equsesuzu.dll
+ 2005-03-03 22:40 . 2004-08-04 12:00 4224 c:\windows\system32\dllcache\rdpcdd.sys
+ 2010-07-06 02:35 . 2010-07-06 02:35 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2010-07-06 02:35 . 2010-07-06 02:35 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
- 2005-03-03 22:39 . 2009-10-28 16:52 398748 c:\windows\system32\perfh009.dat
+ 2005-03-03 22:39 . 2010-05-23 14:38 398748 c:\windows\system32\perfh009.dat
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 153376 c:\windows\system32\javaws.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 145184 c:\windows\system32\javaw.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 145184 c:\windows\system32\java.exe
+ 2005-03-04 01:27 . 2004-08-04 06:39 142464 c:\windows\system32\dllcache\aec.sys
+ 2010-06-28 16:02 . 2010-06-28 16:02 180224 c:\windows\Installer\bbd7a.msi
+ 2010-06-28 16:01 . 2010-06-28 16:01 576000 c:\windows\Installer\bbd75.msi
+ 2010-05-30 03:36 . 2010-05-30 03:36 424960 c:\windows\Installer\118e495.msi
+ 2010-07-06 02:35 . 2010-07-06 02:35 851968 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2010-07-06 02:35 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2010-07-06 02:35 . 2010-07-06 02:35 851968 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2010-07-06 02:35 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2009-01-27 983040]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-01-15 184320]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-01-21 167936]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SsAAD.exe"="c:\progra~1\sony\SONICS~1\SsAAD.exe" [2005-01-25 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"FixCamera"="c:\windows\FixCamera.exe" [2006-06-01 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-07 110592]
"snp2std"="c:\windows\vsnp2std.exe" [2006-01-06 344064]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2008-12-11 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2008-12-11 299008]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 20:48 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/3/2005 4:41 PM 71961]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 6:47 AM 98304]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 5:40 AM 118784]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2009 9:58 PM 24652]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [3/3/2005 9:50 AM 24618]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KWAYQPOD
*Deregistered* - kwayqpod
*Deregistered* - zihlddu
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\ef99e6ac.job
- c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe [2010-06-22 14:00]

2008-12-11 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]

2008-12-11 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]

2008-12-11 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Sysadmin\Application Data\Mozilla\Firefox\Profiles\k9xy716l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Sysadmin\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Sysadmin\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKCU-Run-Bgutimenipavurog - c:\windows\bdmtcb.dll
HKLM-Run-Dyixumiforawum - c:\windows\atotohekafomohu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 18:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zihlddu]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-07-11 18:39:05
ComboFix-quarantined-files.txt 2010-07-12 00:39
ComboFix2.txt 2010-07-11 03:59
ComboFix3.txt 2010-07-08 03:28
ComboFix4.txt 2010-07-04 01:51
ComboFix5.txt 2010-07-12 00:34

Pre-Run: 105,882,025,984 bytes free
Post-Run: 105,872,187,392 bytes free

- - End Of File - - 7BDD3AF960E34121614CDADEE532017C


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 14 July 2010 - 02:09 AM

Hello.

Please delete the copy of ComboFix that you have on your desktop by right clicking the icon and selecting Delete. Then, download a new copy from the following link, but rename it to renamed.exe before saving it to your desktop.

Please run a scan with the updated version of ComboFix and post the log it generates into your next reply.

~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 16 July 2010 - 01:44 AM

ComboFix 10-07-13.08 - Sysadmin 07/14/2010 23:00:03.10.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1791 [GMT -6:00]
Running from: c:\documents and settings\Sysadmin\Desktop\renamed.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\93gM931cE.dll
c:\windows\system32\spool\prtprocs\w32x86\93oC9s1eI.dll
c:\windows\system32\spool\prtprocs\w32x86\9eI7q3179.dll
c:\windows\system32\spool\prtprocs\w32x86\9iQG9iQ7w.dll
c:\windows\system32\spool\prtprocs\w32x86\9sKUOC179.dll
c:\windows\system32\spool\prtprocs\w32x86\9y1cE3179.dll
c:\windows\system32\spool\prtprocs\w32x86\e3a7kUO7o.dll
c:\windows\system32\spool\prtprocs\w32x86\g55aA.dll
c:\windows\system32\spool\prtprocs\w32x86\kU5mY.dll
c:\windows\system32\spool\prtprocs\w32x86\Q555o.dll
c:\windows\system32\spool\prtprocs\w32x86\wS55s.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-12 01:26 . 2010-07-12 01:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-11 03:16 . 2010-07-11 03:23 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\lpssjmwpl
2010-07-08 02:47 . 2010-07-08 03:15 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\nbhoonrie
2010-07-06 02:37 . 2010-07-06 02:37 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-07-06 02:35 . 2010-07-06 02:35 -------- d-----w- c:\windows\ERUNT
2010-07-06 02:33 . 2010-07-06 02:45 -------- d-----w- C:\SDFix
2010-07-06 02:14 . 2010-07-06 02:14 -------- d-----w- C:\backup
2010-07-06 02:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\tmprdpcdd.sys
2010-06-29 04:39 . 2010-06-29 04:39 503808 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\msvcp71.dll
2010-06-29 04:39 . 2010-06-29 04:39 499712 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\jmc.dll
2010-06-29 04:39 . 2010-06-29 04:39 348160 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\msvcr71.dll
2010-06-29 04:39 . 2010-06-29 04:39 61440 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24159f21-n\decora-sse.dll
2010-06-29 04:39 . 2010-06-29 04:39 12800 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24159f21-n\decora-d3d.dll
2010-06-28 16:01 . 2010-06-28 16:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:43 . 2010-06-23 17:43 -------- d-----w- C:\spoolerlogs
2010-06-22 14:00 . 2010-06-22 14:00 50176 ----a-w- c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 05:03 . 2010-05-28 16:52 772096 ----a-w- c:\windows\system32\drivers\zihlddu.sys
2010-07-04 00:26 . 2010-01-19 16:34 0 ----a-w- c:\windows\Wqisit.bin
2010-07-01 23:40 . 2009-02-11 20:19 1 ----a-w- c:\documents and settings\Sysadmin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-30 15:30 . 2010-05-28 16:51 47616 ----a-w- c:\windows\system32\dvdptify.dll
2010-06-28 16:02 . 2005-03-04 03:16 -------- d-----w- c:\program files\Common Files\Java
2010-06-28 16:01 . 2005-03-04 03:16 -------- d-----w- c:\program files\Java
2010-06-25 03:27 . 2005-03-04 18:50 -------- d-----w- c:\program files\Google
2010-06-24 02:24 . 2009-01-15 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-20 02:28 . 2010-01-19 16:34 120 ----a-w- c:\windows\Vsezunazil.dat
2010-05-30 03:40 . 2010-05-30 03:40 -------- d-----w- c:\documents and settings\Sysadmin\Application Data\Yahoo!
2010-05-30 03:37 . 2010-05-30 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-30 03:36 . 2010-05-30 03:35 -------- d-----w- c:\program files\Yahoo!
2010-05-28 16:51 . 2010-05-28 16:51 20 ----a-w- c:\documents and settings\NetworkService\Application Data\vqdlkr.dat
2010-04-29 21:39 . 2009-01-15 05:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-01-15 05:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 22:45 . 2010-05-30 03:36 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_17.01.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 01:41 . 2009-07-12 01:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2005-03-03 22:39 . 2010-05-23 14:38 60714 c:\windows\system32\perfc009.dat
- 2005-03-03 22:39 . 2009-10-28 16:52 60714 c:\windows\system32\perfc009.dat
+ 2010-06-06 05:12 . 2010-06-06 05:12 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2005-03-03 23:57 . 2008-12-11 18:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-03 23:57 . 2010-05-28 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-03 23:57 . 2010-05-28 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-03-03 23:57 . 2008-12-11 18:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-03-03 22:40 . 2004-08-04 12:00 16280 c:\windows\equsesuzu.dll
+ 2005-03-03 22:40 . 2004-08-04 12:00 4224 c:\windows\system32\dllcache\rdpcdd.sys
+ 2010-07-06 02:35 . 2010-07-06 02:35 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2010-07-06 02:35 . 2010-07-06 02:35 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
- 2005-03-03 22:39 . 2009-10-28 16:52 398748 c:\windows\system32\perfh009.dat
+ 2005-03-03 22:39 . 2010-05-23 14:38 398748 c:\windows\system32\perfh009.dat
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 153376 c:\windows\system32\javaws.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 145184 c:\windows\system32\javaw.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 145184 c:\windows\system32\java.exe
+ 2005-03-04 01:27 . 2004-08-04 06:39 142464 c:\windows\system32\dllcache\aec.sys
+ 2010-06-28 16:02 . 2010-06-28 16:02 180224 c:\windows\Installer\bbd7a.msi
+ 2010-06-28 16:01 . 2010-06-28 16:01 576000 c:\windows\Installer\bbd75.msi
+ 2010-05-30 03:36 . 2010-05-30 03:36 424960 c:\windows\Installer\118e495.msi
+ 2010-07-06 02:35 . 2010-07-06 02:35 851968 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2010-07-06 02:35 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2010-07-06 02:35 . 2010-07-06 02:35 851968 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2010-07-06 02:35 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2009-01-27 983040]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-01-15 184320]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-01-21 167936]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SsAAD.exe"="c:\progra~1\sony\SONICS~1\SsAAD.exe" [2005-01-25 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"FixCamera"="c:\windows\FixCamera.exe" [2006-06-01 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-07 110592]
"snp2std"="c:\windows\vsnp2std.exe" [2006-01-06 344064]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2008-12-11 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2008-12-11 299008]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 20:48 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/3/2005 4:41 PM 71961]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 6:47 AM 98304]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 5:40 AM 118784]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2009 9:58 PM 24652]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [3/3/2005 9:50 AM 24618]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - zihlddu
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\ef99e6ac.job
- c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe [2010-06-22 14:00]

2008-12-11 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]

2008-12-11 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]

2008-12-11 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Sysadmin\Application Data\Mozilla\Firefox\Profiles\k9xy716l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Sysadmin\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Sysadmin\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 23:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\zihlddu]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-07-14 23:04:44
ComboFix-quarantined-files.txt 2010-07-15 05:04
ComboFix2.txt 2010-07-12 00:39
ComboFix3.txt 2010-07-11 03:59
ComboFix4.txt 2010-07-08 03:28
ComboFix5.txt 2010-07-15 04:58

Pre-Run: 105,803,153,408 bytes free
Post-Run: 105,837,113,344 bytes free

- - End Of File - - 42250322AFB7D61E49E2E767D7B4A72A


#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 16 July 2010 - 10:27 PM

Hello.

Please download The Avenger by Swandog46 and save it to your desktop
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits does have a tick in it.
  • Make sure that the box next to Automatically disable any rootkits found does NOT have a tick in it.
  • Copy all of the text in the below codebox to the clipboard by highlighting it and then pressing Ctrl+C.

    CODE
    Drivers to delete:
    zihlddu

    Files to delete:
    c:\windows\Tasks\ef99e6ac.job

  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button
  • You will be asked, "Are you sure you want to execute the current script?"
  • Click Yes
  • You will now be asked "First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?"
  • Click Yes
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, the log: avenger.txt should automatically open.
  • If avenger.txt does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please copy and paste the contents of this log in a reply to this topic.
~Blade


In your next reply, please include the following:
Avenger log

Edited by Blade Zephon, 16 July 2010 - 10:28 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 17 July 2010 - 12:20 AM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver "zihlddu" deleted successfully.
File "c:\windows\Tasks\ef99e6ac.job" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 17 July 2010 - 01:07 AM

Hello.

Excellent. . . part two.

1. Open notepad and copy/paste the text in the codebox below into it. Please ensure that Word Wrap is not enabled in notepad. (Under the Format menu, Word Wrap should be unchecked):

CODE
http://www.bleepingcomputer.com/forums/t/330647/dnshijacker/

Collect::
c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe
c:\windows\system32\drivers\zihlddu.sys

DDS::
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride =


Save this as CFScript.txt, in the same location as renamed.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.



Refering to the picture above, drag CFScript into renamed.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

~Blade


In your next reply, please include the following:
ComboFix Log
How is the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 17 July 2010 - 10:29 PM

ComboFix 10-07-13.08 - Sysadmin 07/17/2010 21:20:43.12.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1633 [GMT -6:00]
Running from: c:\documents and settings\Sysadmin\Desktop\renamed.exe
Command switches used :: c:\documents and settings\Sysadmin\Desktop\CFScript.txt

file zipped: c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe
file zipped: c:\windows\system32\drivers\zihlddu.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sysadmin\Application Data\ef99e6ac.exe
c:\windows\system32\drivers\zihlddu.sys
c:\windows\system32\ernel32.dll
c:\windows\system32\spool\prtprocs\w32x86\931oCEIQ9.dll
c:\windows\system32\spool\prtprocs\w32x86\9gMYW3uOC.dll
c:\windows\system32\spool\prtprocs\w32x86\M3gMYWSK9.dll
c:\windows\system32\spool\prtprocs\w32x86\S31sK31gM.dll
c:\windows\system32\spool\prtprocs\w32x86\S3eI9qG79.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-16 07:07 . 2010-07-16 07:07 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\Yahoo!
2010-07-12 01:26 . 2010-07-12 01:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-11 03:16 . 2010-07-11 03:23 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\lpssjmwpl
2010-07-08 02:47 . 2010-07-08 03:15 -------- d-----w- c:\documents and settings\Sysadmin\Local Settings\Application Data\nbhoonrie
2010-07-06 02:37 . 2010-07-06 02:37 577024 -c--a-w- c:\windows\system32\dllcache\user32.dll
2010-07-06 02:35 . 2010-07-06 02:35 -------- d-----w- c:\windows\ERUNT
2010-07-06 02:33 . 2010-07-06 02:45 -------- d-----w- C:\SDFix
2010-07-06 02:14 . 2010-07-06 02:14 -------- d-----w- C:\backup
2010-07-06 02:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\tmprdpcdd.sys
2010-06-29 04:39 . 2010-06-29 04:39 503808 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\msvcp71.dll
2010-06-29 04:39 . 2010-06-29 04:39 499712 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\jmc.dll
2010-06-29 04:39 . 2010-06-29 04:39 348160 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-154e9f20-n\msvcr71.dll
2010-06-29 04:39 . 2010-06-29 04:39 61440 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24159f21-n\decora-sse.dll
2010-06-29 04:39 . 2010-06-29 04:39 12800 ----a-w- c:\documents and settings\Sysadmin\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24159f21-n\decora-d3d.dll
2010-06-28 16:01 . 2010-06-28 16:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-23 17:43 . 2010-06-23 17:43 -------- d-----w- C:\spoolerlogs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-04 00:26 . 2010-01-19 16:34 0 ----a-w- c:\windows\Wqisit.bin
2010-07-01 23:40 . 2009-02-11 20:19 1 ----a-w- c:\documents and settings\Sysadmin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-30 15:30 . 2010-05-28 16:51 47616 ----a-w- c:\windows\system32\dvdptify.dll
2010-06-28 16:02 . 2005-03-04 03:16 -------- d-----w- c:\program files\Common Files\Java
2010-06-28 16:01 . 2005-03-04 03:16 -------- d-----w- c:\program files\Java
2010-06-25 03:27 . 2005-03-04 18:50 -------- d-----w- c:\program files\Google
2010-06-24 02:24 . 2009-01-15 05:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-20 02:28 . 2010-01-19 16:34 120 ----a-w- c:\windows\Vsezunazil.dat
2010-05-30 03:40 . 2010-05-30 03:40 -------- d-----w- c:\documents and settings\Sysadmin\Application Data\Yahoo!
2010-05-30 03:37 . 2010-05-30 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-05-30 03:36 . 2010-05-30 03:35 -------- d-----w- c:\program files\Yahoo!
2010-05-28 16:51 . 2010-05-28 16:51 20 ----a-w- c:\documents and settings\NetworkService\Application Data\vqdlkr.dat
2010-04-29 21:39 . 2009-01-15 05:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-01-15 05:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 22:45 . 2010-05-30 03:36 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_17.01.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-12 01:41 . 2009-07-12 01:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2010-07-18 03:11 . 2010-07-18 03:11 16384 c:\windows\temp\Perflib_Perfdata_61c.dat
+ 2010-07-18 03:11 . 2010-07-18 03:11 16384 c:\windows\temp\Perflib_Perfdata_2bc.dat
- 2005-03-03 22:39 . 2009-10-28 16:52 60714 c:\windows\system32\perfc009.dat
+ 2005-03-03 22:39 . 2010-05-23 14:38 60714 c:\windows\system32\perfc009.dat
+ 2010-06-06 05:12 . 2010-06-06 05:12 84507 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2005-03-03 23:57 . 2008-12-11 18:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-03-03 23:57 . 2010-05-28 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-03-03 23:57 . 2008-12-11 18:58 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-03-03 23:57 . 2010-05-28 16:51 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-03-03 22:40 . 2004-08-04 12:00 16280 c:\windows\equsesuzu.dll
+ 2005-03-03 22:40 . 2004-08-04 12:00 4224 c:\windows\system32\dllcache\rdpcdd.sys
+ 2010-07-06 02:35 . 2010-07-06 02:35 8192 c:\windows\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2010-07-06 02:35 . 2010-07-06 02:35 8192 c:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2005-03-03 22:39 . 2010-05-23 14:38 398748 c:\windows\system32\perfh009.dat
- 2005-03-03 22:39 . 2009-10-28 16:52 398748 c:\windows\system32\perfh009.dat
+ 2010-01-27 00:58 . 2010-01-27 00:58 256280 c:\windows\system32\Macromed\Flash\FlashUtil10e.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 153376 c:\windows\system32\javaws.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 145184 c:\windows\system32\javaw.exe
+ 2010-06-28 16:01 . 2010-06-28 16:01 145184 c:\windows\system32\java.exe
+ 2005-03-04 01:27 . 2004-08-04 06:39 142464 c:\windows\system32\dllcache\aec.sys
+ 2010-06-28 16:02 . 2010-06-28 16:02 180224 c:\windows\Installer\bbd7a.msi
+ 2010-06-28 16:01 . 2010-06-28 16:01 576000 c:\windows\Installer\bbd75.msi
+ 2010-05-30 03:36 . 2010-05-30 03:36 424960 c:\windows\Installer\118e495.msi
+ 2010-07-06 02:35 . 2010-07-06 02:35 851968 c:\windows\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2010-07-06 02:35 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2010-07-06 02:35 . 2010-07-06 02:35 851968 c:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2010-07-06 02:35 . 2008-08-07 21:27 163328 c:\windows\ERUNT\SDFIX\ERDNT.EXE
+ 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2009-01-27 983040]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-04-29 5248312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hcontrol"="c:\windows\ATK0100\Hcontrol.exe" [2004-07-19 61440]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-11-08 114688]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"TVTunerLib"="c:\program files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe" [2005-02-17 245760]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-01-15 184320]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-01-21 167936]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"VZRemoteCommander"="c:\program files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe" [2005-01-31 192512]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SsAAD.exe"="c:\progra~1\sony\SONICS~1\SsAAD.exe" [2005-01-25 81920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"FixCamera"="c:\windows\FixCamera.exe" [2006-06-01 20480]
"tsnp2std"="c:\windows\tsnp2std.exe" [2006-01-07 110592]
"snp2std"="c:\windows\vsnp2std.exe" [2006-01-06 344064]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2008-12-11 778240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Recording Status.lnk - c:\program files\Sony\vaio entertainment\VzTrayIcon.exe [2008-12-11 299008]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-01-18 20:48 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/12/2009 9:58 PM 24652]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/3/2005 4:41 PM 71961]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 6:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 5:40 AM 118784]
S3 fa410;NETGEAR FA410TX Fast Ethernet PC Card Driver;c:\windows\system32\drivers\fa410nd5.sys [3/3/2005 9:50 AM 24618]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]

2008-12-11 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]

2008-12-11 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-03 12:00]
.
.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Sysadmin\Application Data\Mozilla\Firefox\Profiles\k9xy716l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\documents and settings\Sysadmin\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Sysadmin\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\Sysadmin\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-17 21:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-07-17 21:26:29
ComboFix-quarantined-files.txt 2010-07-18 03:26
ComboFix2.txt 2010-07-15 18:34
ComboFix3.txt 2010-07-15 05:04
ComboFix4.txt 2010-07-12 00:39
ComboFix5.txt 2010-07-18 03:20

Pre-Run: 103,561,228,288 bytes free
Post-Run: 103,603,482,624 bytes free

- - End Of File - - 72FD32F607225AE1B8FB987A613D1283
Upload was successful

Well the computer seems to be running ok with the exception of my sound drivers being gone i'll probably need a few hours of play time to see if its still acting up and i'll post back in the morning with the update.

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 17 July 2010 - 11:32 PM

Hello.

Glad to hear it's running better. I'd like to get a followup scan as well. . . seems like we were dealing with some fairly new malware here.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

~Blade


In your next reply, please include the following:
ESET Online Scan log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 19 July 2010 - 11:46 AM

C:\Qoobox\Quarantine\[4]-Submit_2010-07-17_21.20.39.zip multiple threats deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\ernel32.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\555w5.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\931oCEIQ9.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\93gM931cE.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\93oC9s1eI.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9eI7q3179.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9gMYW3uOC.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9i1q931oC.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9iQG9i1q9.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9iQG9iQ7w.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9sKUOC179.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9u1mYW17y.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\9y1cE3179.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\e3a7kUO7o.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\g55aA.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\kU5mY.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\M3gMYWSK9.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\Q555o.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\S31sK31gM.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\S3eI9qG79.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\wS55s.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\spool\prtprocs\w32x86\Y55o5.dll.vir a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP87\A0076152.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP87\A0077152.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP87\A0077165.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP87\A0077177.dll a variant of Win32/PSW.Papras.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077276.dll a variant of Win32/Cimag.CL trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077277.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077278.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077279.bat BAT/Agent.NFC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077280.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077281.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077282.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077283.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077393.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077405.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077417.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077433.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077442.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077451.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077464.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077480.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077491.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077500.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077509.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0077524.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0078586.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0078611.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\A0078682.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP88\snapshot\MFEX-1.DAT a variant of Win32/PSW.Papras.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078739.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078744.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078745.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078746.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078747.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078748.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078749.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078750.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078751.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078752.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078753.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078754.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078755.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078756.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078757.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078758.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078759.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078760.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078850.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078871.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078880.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078889.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078899.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0078908.dll a variant of Win32/PSW.Papras.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0079903.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0079912.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0079931.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP89\A0079950.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0079985.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0080062.dll Win32/PSW.Papras.BO trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0080087.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0080160.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0080172.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081279.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081280.dll a variant of Win32/Cimag.CU trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081281.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081282.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081283.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081284.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081285.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081286.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081287.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081288.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081289.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081290.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081291.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081292.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081293.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081294.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081295.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081466.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0081479.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082483.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082492.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082507.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082517.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082527.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082538.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082585.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082597.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082606.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0082615.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083614.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083647.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083652.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083653.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083654.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083655.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083656.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083657.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083658.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083659.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083660.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083661.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083662.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083663.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083664.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083760.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083769.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083778.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083787.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083796.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP90\A0083809.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0083818.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0083827.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0083839.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0083848.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0084848.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0084854.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085955.exe Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085959.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085964.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085965.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085966.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085967.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085968.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085969.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085970.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085971.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085972.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085973.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085974.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085975.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0085976.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0086094.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0086095.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0086174.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0086187.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0086196.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087200.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087212.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087223.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087234.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087246.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087260.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087275.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087317.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087318.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087319.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087320.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087321.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087322.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087323.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087324.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087325.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087326.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087327.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087328.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087403.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087412.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087425.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087457.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087458.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0087459.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0089425.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0089444.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0089456.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP91\A0089468.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP92\A0089546.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP92\A0089547.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP92\A0089548.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP92\A0089549.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP92\A0089550.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{5F6B2FF9-5C86-43BB-AA40-0C3023B5B245}\RP92\A0089551.dll a variant of Win32/Kryptik.FGR trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\dvdptify.dll Win32/PSW.Papras.BO trojan cleaned by deleting - quarantined


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 20 July 2010 - 01:46 AM

Alright. . . looks like we're about done here.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 21.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

***************************************************

Your Adobe Reader is out of date. Please uninstall it through Add/Remove Programs and download the latest version from Adobe: Download
Please untick all proposed toolbars unless you really want them.

***************************************************

Now, let's clean up our mess.
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************
  • Please double click on the icon on your desktop.
  • Click the large button marked "Cleanup"
***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfectionI recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache!
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  1. Double-click the Downloaded installer and install the tool to a location of your choice
  2. Via the Startmenu, navigate to HostsMan and run the program.
    1. Click "Hosts" in the menu
    2. Click "Manage Updates" in the submenu
    3. Out of the three, select at least one of them (I have MVPS Host as my main one)
    4. Click "Add Update." After that you will only need to click on the following button to retrieve updates:
  3. Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 20 July 2010 - 10:14 PM

Ok so i uninstalled combo fix and updated my java and adobe but i still keep getting sent to google analytics whenever i try to navigate and random porn torrent sites as well i dont think its clean yet. But regardless let me know what you think.

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:08:51 PM

Posted 20 July 2010 - 11:07 PM

I'm sorry. . . I must have misunderstood you earlier. I thought you had said the computer was operating normally. Sorry about the confusion.

Let's take another whack at it.

We'll start by getting a new overview of the system.
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the "Custom Scans/Fixes" section paste in the below in bold

    netsvc
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  • Push the button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

***************************************************

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.log" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and copy/paste its contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try unchecking the Devices box in addition to the others previously requested. Also, try running GMER in Safe Mode.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


~Blade


In your next reply, please include the following:
OTL.txt
Extras.txt
Gmer.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 offroadguy32

offroadguy32
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:51 PM

Posted 22 July 2010 - 02:21 PM

OTL logfile created on: 7/22/2010 12:55:08 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Sysadmin\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 96.83 Gb Free Space | 86.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: E34248DE5B9A4A0
Current User Name: Sysadmin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/07/22 12:54:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sysadmin\Desktop\OTL.exe
PRC - [2010/07/21 15:45:15 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/07/21 15:45:14 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/04/29 16:59:14 | 005,248,312 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
PRC - [2009/01/27 14:37:46 | 000,983,040 | ---- | M] (Ares Development Group) -- C:\Program Files\Ares\Ares.exe
PRC - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
PRC - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/06/01 12:26:10 | 000,020,480 | ---- | M] () -- C:\WINDOWS\FixCamera.exe
PRC - [2006/01/06 18:39:22 | 000,110,592 | ---- | M] () -- C:\WINDOWS\tsnp2std.exe
PRC - [2006/01/06 14:57:06 | 000,344,064 | ---- | M] (Sonix) -- C:\WINDOWS\vsnp2std.exe
PRC - [2005/02/10 14:51:08 | 000,299,008 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\vaio entertainment\VzTrayIcon.exe
PRC - [2005/02/10 14:44:04 | 000,397,312 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
PRC - [2005/02/09 11:43:52 | 000,167,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
PRC - [2005/02/09 11:43:52 | 000,135,168 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
PRC - [2005/02/09 11:43:52 | 000,073,728 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
PRC - [2005/02/09 11:43:50 | 000,270,336 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
PRC - [2005/02/09 07:43:58 | 000,143,360 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
PRC - [2005/01/31 12:10:44 | 000,192,512 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
PRC - [2005/01/24 21:58:02 | 000,081,920 | ---- | M] () -- C:\Program Files\Sony\sonicstage\SSAAD.exe
PRC - [2005/01/24 20:36:52 | 000,069,632 | ---- | M] (Sony Corporation) -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
PRC - [2005/01/21 21:53:36 | 000,150,528 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
PRC - [2005/01/20 22:24:00 | 000,167,936 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
PRC - [2005/01/14 18:18:18 | 000,184,320 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
PRC - [2004/12/14 06:44:06 | 000,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
PRC - [2004/10/21 13:41:48 | 000,360,521 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2004/10/21 13:40:02 | 000,086,016 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2004/10/21 13:38:46 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2004/10/04 06:47:04 | 000,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PRC - [2004/10/04 05:40:50 | 000,118,784 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
PRC - [2004/08/04 06:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/02/20 16:12:34 | 000,032,768 | ---- | M] (Sony Corporation) -- C:\Program Files\Sony\ISB Utility\ISBMgr.exe
PRC - [2003/11/07 18:21:28 | 000,114,688 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/02/26 12:08:42 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2002/12/17 19:23:32 | 000,074,308 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe


========== Modules (SafeList) ==========

MOD - [2010/07/22 12:54:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sysadmin\Desktop\OTL.exe
MOD - [2004/08/04 06:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/04 06:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2008/04/24 13:26:18 | 000,202,560 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe -- (sprtsvc_ddoctorv2) SupportSoft Sprocket Service (ddoctorv2)
SRV - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/02/14 23:30:02 | 000,032,768 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Image Converter 2\IcVzMon.exe -- (Image Converter video recording monitor for VAIO Entertainment)
SRV - [2005/02/10 14:44:04 | 000,397,312 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe -- (VAIO Entertainment Task Scheduler)
SRV - [2005/02/09 11:43:52 | 000,167,936 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2005/02/09 11:43:52 | 000,135,168 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe -- (VzFw)
SRV - [2005/02/09 11:43:52 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2005/02/09 11:43:50 | 000,270,336 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2005/02/09 07:43:58 | 000,143,360 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe -- (VAIO Entertainment Aggregation and Control Service)
SRV - [2005/01/26 17:30:04 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2005/01/26 17:25:34 | 000,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2005/01/26 17:20:14 | 000,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2005/01/24 20:36:52 | 000,069,632 | ---- | M] (Sony Corporation) [On_Demand | Running] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2005/01/21 21:53:36 | 000,150,528 | ---- | M] (Sony Corporation) [Auto | Running] -- C:\Program Files\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2005/01/14 18:18:48 | 001,839,104 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe -- (VAIOMediaPlatform-IntegratedServer-AppServer)
SRV - [2005/01/14 17:26:56 | 000,745,472 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe -- (VAIOMediaPlatform-IntegratedServer-UPnP) VAIO Media Integrated Server (UPnP)
SRV - [2005/01/14 17:21:32 | 000,057,344 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe -- (VAIOMediaPlatform-IntegratedServer-HTTP) VAIO Media Integrated Server (HTTP)
SRV - [2005/01/14 17:20:14 | 000,188,416 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe -- (VAIOMediaPlatform-Mobile-Gateway)
SRV - [2004/10/21 13:41:48 | 000,360,521 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor)
SRV - [2004/10/21 13:40:02 | 000,086,016 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng)
SRV - [2004/10/21 13:38:46 | 000,139,264 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc)
SRV - [2004/10/04 06:47:04 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2004/10/04 05:40:50 | 000,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Sysadmin\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2006/05/13 15:57:50 | 010,305,664 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\snp2sxp.sys -- (SNP2STD) USB2.0 PC Camera (SNP2STD)
DRV - [2005/02/22 18:18:00 | 002,522,560 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/02/01 23:39:20 | 000,970,240 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/01/11 16:13:42 | 000,237,440 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SONYTVC.sys -- (SONYTVC)
DRV - [2005/01/07 02:01:40 | 000,052,736 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifmsony.sys -- (tifmsony)
DRV - [2004/12/03 08:07:14 | 003,249,920 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2004/10/15 16:52:48 | 000,071,168 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/10/15 13:20:04 | 000,011,354 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2004/09/08 13:37:10 | 000,161,024 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2004/09/08 13:36:54 | 000,685,184 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/09/08 13:36:20 | 001,041,536 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/08/12 19:45:54 | 000,137,728 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2003/09/29 14:31:38 | 000,094,601 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/09/26 18:33:14 | 000,005,786 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATKACPI.sys -- (MTsensor)
DRV - [2003/06/18 18:12:50 | 000,071,961 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyPI.sys -- (SPI)
DRV - [2001/08/17 06:12:32 | 000,024,618 | ---- | M] (NETGEAR) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fa410nd5.sys -- (fa410)
DRV - [2000/12/05 18:18:02 | 000,003,952 | ---- | M] (Sony Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DMICall.sys -- (DMICall)
DRV - [2000/11/09 21:15:08 | 000,048,896 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SonyNC.sys -- (SNC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople

IE - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\..\URLSearchHook: {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
IE - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\..\URLSearchHook: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)
IE - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AIM Search"
FF - prefs.js..browser.search.defaulturl: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query="
FF - prefs.js..browser.search.selectedEngine: "AIM Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.com"
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/21 15:45:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/21 18:56:08 | 000,000,000 | ---D | M]

[2008/12/18 12:14:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sysadmin\Application Data\Mozilla\Extensions
[2010/07/21 18:57:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Sysadmin\Application Data\Mozilla\Firefox\Profiles\k9xy716l.default\extensions
[2009/01/12 21:58:52 | 000,001,739 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Application Data\Mozilla\Firefox\Profiles\k9xy716l.default\searchplugins\aim-search.xml
[2010/07/21 15:46:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/28 10:01:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/07/20 21:12:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/06/22 04:36:30 | 000,423,656 | ---- | M] (Oracle) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/04/16 11:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: ([2010/07/17 21:24:57 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll File not found
O2 - BHO: (AOLSearchHook Class) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll (America Online, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll File not found
O2 - BHO: (AIM Toolbar Loader) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
O3 - HKLM\..\Toolbar: (AIM Toolbar) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O3 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found
O3 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\..\Toolbar\WebBrowser: (AIM Toolbar) - {61539ECD-CC67-4437-A03C-9AACCBD14326} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [CreateCD_Reminder] C:\WINDOWS\SONYSYS\VAIO Recovery\Reminder.exe (Sony Electronics, Inc)
O4 - HKLM..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe ()
O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe ()
O4 - HKLM..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe (Sonix)
O4 - HKLM..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe (Sony Corporation)
O4 - HKLM..\Run: [SsAAD.exe] C:\Program Files\Sony\sonicstage\SSAAD.exe ()
O4 - HKLM..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe (Sony Corporation)
O4 - HKLM..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe ()
O4 - HKLM..\Run: [TVTunerLib] C:\Program Files\Common Files\Sony Shared\TVTunerLib\TVTLInstTool.exe (Sony Corporation)
O4 - HKLM..\Run: [VAIO Recovery] C:\WINDOWS\SONYSYS\VAIO Recovery\PartSeal.exe (Sony Electronics Inc)
O4 - HKLM..\Run: [VAIO Update 2] C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe (Sony Corporation)
O4 - HKLM..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe (Sony Corporation)
O4 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006..\Run: [ares] C:\Program Files\Ares\Ares.exe (Ares Development Group)
O4 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe (Sony Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Recording Status.lnk = C:\Program Files\Sony\vaio entertainment\VzTrayIcon.exe (Sony Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\VAIO Launcher.lnk = C:\Program Files\Sony\VAIO Launcher\Launcher.exe (Sony Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3060435890-265259444-4165225268-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html ()
O9 - Extra Button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (AOL LLC.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\WINDOWS\System32\VESWinlogon.dll (Sony Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Sysadmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sysadmin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/03/03 17:56:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2010/07/22 12:54:34 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sysadmin\Desktop\OTL.exe
[2010/07/20 21:12:01 | 000,153,376 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaws.exe
[2010/07/20 21:12:01 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\javaw.exe
[2010/07/20 21:12:01 | 000,145,184 | ---- | C] (Oracle) -- C:\WINDOWS\System32\java.exe
[2010/07/20 21:10:58 | 000,875,296 | ---- | C] (Oracle) -- C:\Documents and Settings\Sysadmin\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/19 09:58:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/07/16 01:07:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sysadmin\Local Settings\Application Data\Yahoo!
[2010/07/14 23:04:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/07/10 21:16:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sysadmin\Local Settings\Application Data\lpssjmwpl
[2010/07/07 20:47:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sysadmin\Local Settings\Application Data\nbhoonrie
[2010/07/05 20:37:13 | 000,577,024 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/07/05 20:35:16 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2010/07/05 20:14:24 | 000,004,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tmprdpcdd.sys
[2010/07/05 20:14:24 | 000,000,000 | ---D | C] -- C:\backup
[2010/07/03 18:43:31 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/06/28 10:02:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/06/28 10:01:53 | 000,423,656 | ---- | C] (Oracle) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/24 21:26:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sysadmin\Desktop\SmitfraudFix
[2010/06/23 11:43:24 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2009/02/22 19:47:36 | 000,147,456 | ---- | C] ( ) -- C:\WINDOWS\rsnp2std.dll
[2009/02/22 19:47:36 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2std.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/07/22 12:54:37 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sysadmin\Desktop\OTL.exe
[2010/07/22 12:50:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/22 12:50:13 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/22 12:50:02 | 2146,816,000 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/21 23:04:17 | 003,407,872 | -H-- | M] () -- C:\Documents and Settings\Sysadmin\NTUSER.DAT
[2010/07/21 23:04:17 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Sysadmin\ntuser.ini
[2010/07/21 16:07:03 | 004,840,364 | -H-- | M] () -- C:\Documents and Settings\Sysadmin\Local Settings\Application Data\IconCache.db
[2010/07/21 16:01:22 | 000,035,111 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Desktop\Team_Spock_by_imbatman1313.jpg
[2010/07/21 02:08:20 | 000,043,270 | ---- | M] () -- C:\Documents and Settings\Sysadmin\My Documents\Image.jpg
[2010/07/20 21:10:59 | 000,875,296 | ---- | M] (Oracle) -- C:\Documents and Settings\Sysadmin\Desktop\jre-6u21-windows-i586-iftw-rv.exe
[2010/07/18 18:38:29 | 002,672,312 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Desktop\esetsmartinstaller_enu.exe
[2010/07/17 21:25:04 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/17 21:24:57 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/16 23:15:02 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Desktop\avenger.zip
[2010/07/11 19:26:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/11 17:47:12 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Desktop\3i8cgvmx.exe
[2010/07/11 17:46:31 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Desktop\dds.scr
[2010/07/05 20:37:13 | 000,577,024 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2010/07/05 20:30:14 | 001,529,241 | ---- | M] () -- C:\Documents and Settings\Sysadmin\My Documents\SDFix.exe
[2010/07/05 19:52:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/03 18:43:37 | 000,000,264 | RHS- | M] () -- C:\boot.ini
[2010/07/03 18:26:23 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Wqisit.bin
[2010/07/02 00:12:10 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\Sysadmin\My Documents\Shortcut to ComboFix.exe.lnk
[2010/07/01 17:55:07 | 000,012,800 | ---- | M] () -- C:\Documents and Settings\Sysadmin\My Documents\Lambda Chili Cookoff Outline.doc
[2010/06/24 21:26:16 | 001,872,472 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Desktop\SmitfraudFix.exe
[2010/06/23 20:24:41 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/23 20:24:06 | 000,029,696 | ---- | M] () -- C:\Documents and Settings\Sysadmin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/07/21 16:01:21 | 000,035,111 | ---- | C] () -- C:\Documents and Settings\Sysadmin\Desktop\Team_Spock_by_imbatman1313.jpg
[2010/07/21 02:08:14 | 000,043,270 | ---- | C] () -- C:\Documents and Settings\Sysadmin\My Documents\Image.jpg
[2010/07/18 18:37:47 | 002,672,312 | ---- | C] () -- C:\Documents and Settings\Sysadmin\Desktop\esetsmartinstaller_enu.exe
[2010/07/16 23:14:59 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\Sysadmin\Desktop\avenger.zip
[2010/07/15 12:22:52 | 2146,816,000 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/11 19:26:30 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/11 17:47:09 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Sysadmin\Desktop\3i8cgvmx.exe
[2010/07/11 17:46:28 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Sysadmin\Desktop\dds.scr
[2010/07/05 20:30:06 | 001,529,241 | ---- | C] () -- C:\Documents and Settings\Sysadmin\My Documents\SDFix.exe
[2010/07/03 18:43:37 | 000,000,194 | ---- | C] () -- C:\Boot.bak
[2010/07/03 18:43:33 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/07/01 20:23:03 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\Sysadmin\My Documents\Shortcut to ComboFix.exe.lnk
[2010/07/01 17:55:04 | 000,012,800 | ---- | C] () -- C:\Documents and Settings\Sysadmin\My Documents\Lambda Chili Cookoff Outline.doc
[2010/06/24 21:25:54 | 001,872,472 | ---- | C] () -- C:\Documents and Settings\Sysadmin\Desktop\SmitfraudFix.exe
[2009/02/22 19:47:38 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2std.ini
[2009/02/22 19:47:36 | 010,305,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2sxp.sys
[2008/12/11 15:11:28 | 000,002,158 | ---- | C] () -- C:\WINDOWS\System32\ssmute.ini
[2008/12/11 15:04:17 | 000,000,175 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2008/12/11 15:03:23 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/12/11 15:03:23 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/12/11 15:03:23 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/12/11 15:03:23 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/12/11 15:03:23 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/12/11 15:03:23 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/12/11 15:01:39 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/12/11 14:53:18 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2005/03/04 18:27:27 | 000,000,800 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2005/03/04 18:11:22 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/03/04 12:45:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VAIOUpdt.INI
[2005/03/03 19:27:23 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/03/03 16:40:46 | 000,005,786 | ---- | C] () -- C:\WINDOWS\System32\drivers\ATKACPI.sys
[2005/03/03 16:40:14 | 000,000,762 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/03/03 16:40:04 | 000,016,280 | ---- | C] () -- C:\WINDOWS\equsesuzu.dll
[2005/03/03 16:40:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2005/03/03 16:39:51 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2005/01/18 13:31:00 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/06/12 15:21:12 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\winchip.dll
[2001/10/24 18:00:40 | 000,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll

========== Custom Scans ==========


< netsvc >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 06:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2004/08/04 00:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 06:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 06:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 06:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2004/08/04 06:00:00 | 000,357,888 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2004/08/04 06:00:00 | 000,201,728 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2005/01/27 11:13:16 | 000,249,856 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/03/03 09:46:59 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2005/03/03 09:46:59 | 000,638,976 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2005/03/03 09:46:59 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

OTL Extras logfile created on: 7/22/2010 12:55:08 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Sysadmin\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.78 Gb Total Space | 96.83 Gb Free Space | 86.62% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: E34248DE5B9A4A0
Current User Name: Sysadmin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-3060435890-265259444-4165225268-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\Ares\Ares.exe" = C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows -- (Ares Development Group)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{013E1BA8-C815-4E27-BCB9-D6B1B2E24094}" = SonicStage Mastering Studio Audio Filter Custom Preset
"{01FDC9FC-4D4F-4DB0-ACD1-D3E8E1D52902}" = Sony MP4 Shared Library
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0DF00135-D5A7-476A-BFB3-EDFF2840076A}" = VAIO Wireless Utility
"{1A91D1FA-B9B3-4556-9878-5C61059A19B2}" = InterVideo WinDVDX
"{1BEF9285-5530-426B-A5F1-5836B95C7EB1}" = VAIO Original Screen Saver
"{1EB317D8-8945-4FD6-B37F-DF470317C6AB}" = VAIO Media 4.0
"{2063C2E8-3812-4BBD-9998-6610F80C1DD4}" = VAIO Media AC3 Decoder 1.0
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 21
"{27337663-2619-11D4-99DC-0000F49094C7}" = Memory Stick Formatter
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{2A0F3EF9-68EE-49E9-A05B-ED5B82DF63E5}" = Wireless Switch Setting Utility
"{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"{2F151B50-B434-4838-B51D-70442EBA093E}" = OpenMG Secure Module 4.1.00
"{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150000}" = J2SE Runtime Environment 5.0
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{48820099-ED7D-424B-890C-9A82EF00656D}" = VAIO Update 2
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4E993095-28F2-4060-9101-99C1FD1195C0}" = VAIO Control Center
"{51735133-A296-4EB0-BF16-AD93B55BD000}" = VAIO Original Screen Saver VAIO Motion SD Wide Contents
"{59452470-A902-477F-9338-9B88101681BD}" = Setting Utility Series
"{639BB4D3-AA30-4A7B-8CB5-6DE681AD6659}" = VAIO Light Flo Wallpaper
"{685BCC47-B8EC-45EC-BBCE-77DF2451502C}" = DVgate Plus
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{7128C69B-8F7E-4336-8698-3FD3CDD955EC}" = VAIO Media Redistribution 4.0
"{75438C0E-9925-412E-AD85-D0E71C6CE2ED}" = ZVC7500 PC CAMERA
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7A79D11B-FD82-4A5E-834F-20173515DD14}" = VAIO Media Integrated Server 4.1
"{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}" = ISScript
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{88DA0A52-3372-4803-971A-ADFB961707E8}" = PictureGear Studio 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9155A84B-A94B-496E-9661-9978EB0CBC7C}" = Image Converter 2
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for VAIO
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9E319E96-ED8E-4B01-9775-C521A1869A25}" = VAIO Power Management
"{9E407618-D9CD-4F39-9490-9ED45294073D}" = Click to DVD 2.0.03 Menu Data
"{A0EB195B-5876-48E6-879D-33D4B2102610}" = SonicStage 3.0
"{A43F939E-A863-433D-AC78-0897E44CFEB2}" = VAIO Launcher
"{AB467B85-4F52-48C2-AEED-0673D00417B0}" = SonicStage Mastering Studio Audio Filter
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AF9A04EB-7D8E-41DE-9EDE-4AB9BB2B71B6}" = VAIO Media Registration Tool 4.0
"{BE56FEF0-1A0F-4719-B3AD-34B5087AFA6D}" = Sony Video Shared Library
"{BF3B304B-8A18-452D-A19F-6012CA8418D7}" = SonicStage Mastering Studio 1.4
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D0448678-1203-4158-A58F-B3D0B616BF9E}" = Sony Certificate PCH
"{D87149B3-7A1D-4548-9CBF-032B791E5908}" = Desktop Doctor
"{D917FD82-6CE5-489A-AAF8-C701AAC85C4D}" = VAIO Entertainment Platform
"{DA7ECDA9-C6DD-4E4A-8EB8-9899E08C6740}" = SonicStage MP3 Add-on program
"{DC6E3CD5-A93D-44EA-85AE-894C1603B7E2}" = VAIO TV Tuner Library 1.4
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (VAIO_VEDB)
"{E09E82C3-6C4D-45B0-8790-BBBEE39F1A3C}" = VAIO Zone Remote Commander
"{E809063C-51A3-4269-8984-D1EB742F2151}" = Click to DVD 2.4.02
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{ED8D39F2-7FFA-45EC-B148-EF2472955BB4}" = VAIO Zone
"{EE7EB179-5AA2-4B28-AC92-5CBAAF82BA7F}" = SonicStage Mastering Studio Plugins
"{EF3D45BB-2260-4008-88EA-492E7744A9DF}" = Sony Utilities DLL
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0D85ADD-DD61-4B43-87A0-6DA52A211A8B}" = VAIO Event Service
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM Search" = AIM Search
"AIM Toolbar" = AIM Toolbar
"AIM_6" = AIM 6
"All ATI Software" = ATI - Software Uninstall Utility
"Ares" = Ares 2.1.1
"ATI Display Driver" = ATI Display Driver
"ComcastHSI" = Comcast High-Speed Internet Install Wizard
"CONNECT" = CONNECT
"ESET Online Scanner" = ESET Online Scanner v3
"Hcontrol" = ATK0100 ACPI UTILITY
"InstallShield_{2DBE41DD-2129-4C65-A3D3-5647236A60F3}" = Quicken 2005
"InstallShield_{2F151B50-B434-4838-B51D-70442EBA093E}" = OpenMG Secure Module 4.1.00
"InstallShield_{315BA29D-2644-4760-B5FD-5AC04A52B8C5}" = VAIO Registration
"InstallShield_{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}" = VAIO Survey Standalone
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MegaTune_is1" = uninstall
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"MoodLogic" = MoodLogic
"Mozilla Firefox (3.6.7)" = Mozilla Firefox (3.6.7)
"Netscape Online Setup" = Netscape Internet Service Setup
"OpenMG HotFix4.1-05-13-31-01" = OpenMG Limited Patch 4.1-05-13-31-01
"ProInst" = Intel® PROSet/Wireless Software
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3060435890-265259444-4165225268-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus 2.9.2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/24/2010 4:41:49 PM | Computer Name = E34248DE5B9A4A0 | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {F508055A-CDBF-4D4D-BC8F-4D8E0D9B9E81})(Error
code = 0x80004005)

Error - 6/24/2010 4:49:21 PM | Computer Name = E34248DE5B9A4A0 | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x00da2951.

Error - 6/24/2010 11:04:19 PM | Computer Name = E34248DE5B9A4A0 | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {F508055A-CDBF-4D4D-BC8F-4D8E0D9B9E81})(Error
code = 0x80004005)

Error - 6/24/2010 11:04:25 PM | Computer Name = E34248DE5B9A4A0 | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x00db2951.

Error - 6/24/2010 11:39:08 PM | Computer Name = E34248DE5B9A4A0 | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {F508055A-CDBF-4D4D-BC8F-4D8E0D9B9E81})(Error
code = 0x80004005)

Error - 6/24/2010 11:39:23 PM | Computer Name = E34248DE5B9A4A0 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.46.0.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/25/2010 12:05:31 AM | Computer Name = E34248DE5B9A4A0 | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {F508055A-CDBF-4D4D-BC8F-4D8E0D9B9E81})(Error
code = 0x80004005)

Error - 6/25/2010 12:43:51 AM | Computer Name = E34248DE5B9A4A0 | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {F508055A-CDBF-4D4D-BC8F-4D8E0D9B9E81})(Error
code = 0x80004005)

Error - 6/25/2010 12:52:47 AM | Computer Name = E34248DE5B9A4A0 | Source = VzCdbSvc | ID = 7
Description = Failed to load the plug-in module. (GUID = {F508055A-CDBF-4D4D-BC8F-4D8E0D9B9E81})(Error
code = 0x80004005)

Error - 6/25/2010 12:52:54 AM | Computer Name = E34248DE5B9A4A0 | Source = Application Error | ID = 1000
Description = Faulting application spoolsv.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x00df2951.

[ System Events ]
Error - 7/20/2010 3:19:57 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/20/2010 11:05:35 PM | Computer Name = E34248DE5B9A4A0 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.2.8 for the Network Card with network
address 000E35E2A989 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/20/2010 11:07:35 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/21/2010 2:57:41 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/21/2010 4:57:16 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/21/2010 8:58:08 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/22/2010 1:02:21 AM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/22/2010 2:52:29 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7022
Description = The VAIO Entertainment File Import Service service hung on starting.

Error - 7/22/2010 2:55:20 PM | Computer Name = E34248DE5B9A4A0 | Source = SRService | ID = 104
Description = The System Restore initialization process failed.

Error - 7/22/2010 2:55:20 PM | Computer Name = E34248DE5B9A4A0 | Source = Service Control Manager | ID = 7023
Description = The System Restore Service service terminated with the following error:
%%2


< End of report >
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-22 13:21:17
Windows 5.1.2600 Service Pack 2
Running: 3i8cgvmx.exe; Driver: C:\DOCUME~1\Sysadmin\LOCALS~1\Temp\kwayqpod.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3336] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3640] USER32.dll!TrackPopupMenu 77D94F16 5 Bytes JMP 10449A84 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [614A9CEC] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [614AADE9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [614AAE77] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [614AAE29] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [614A9D87] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [614A9B94] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [614A9C27] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [614AA3BA] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [614A9CF2] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [614A9B56] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [614AADA9] C:\PROGRA~1\Yahoo!\Messenger\yui.dll
IAT C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe[1960] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [614AA7A3] C:\PROGRA~1\Yahoo!\Messenger\yui.dll

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Sysadmin\Local Settings\temp\Perflib_Perfdata_7a8.dat 16384 bytes






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users